WorldPay Module for ZenCartv1.3x

[duncanad]

Hamish,

It's not necessarily a link to an image that is the problem - that was just my guess. But at least one of the links from your page should be HTTP for you to get this message so search for the string 'http://'

Have you got an URL to let me have a look?

Bummer about your PHP version!

Regards,

Alan

[BigMacYin]

Hi Alan,

Thanks for your prompt reply. My site is at www.styleforhome.co.uk.

Any help would really be appreciated.

Thanks again.

Hamish

[duncanad]

Hamish,

I did have a limited look at your site - it's live so I wasn't able to complete a transaction. I did not get the "unsecure items" meassage at an time although I did process a purchase as far as the WorldPay gateway before cancelling.

Searching the source code for 'http://' I found several links, but these are not the problem since they do not bring actual content to the page but are links away from the page. All of your image links seem to be relative so shouldn't be the cause of the problem as I understand it. The only other thing I can think of is links to actual content such as 'require' which may not be secure but to check these you will have to look at the actual files - the content, not the link to the source is shown in the source code.

This is not a Zencart or WorldPay module problem per se. For more info try a search on Google.

Sorry I can't be more specific.

All the best,

Alan

[BigMacYin]

Thanks very much for taking a look - it really is appreciated.

I did the same as you and couldn't find the issue either. I only noticed it when I was trying the site on IE7 before going live as I always use Firefox and have the warning turned off. It does actually do it for me even when I cancel a sale as well as place an order and it seems strange it doesn't do it for you - it must hate me!!

I will have a closer look when I get time but I really do appreciate you giving up your time to take a wee look - us Westies need to stick together!!

Many thanks.

Hamish

[duncanad]

Hamish,

I had been viewing your site in IE6. I have now had a look in Firefox and IE7. No problem in Firefox but in IE7 I get the same "insecure items on page" message as you. I then had a look in my own sites - same thing.

This is not a Zencart or WorldPay module problem per se.

How wrong can I be! No change there then :-o

It is actually a WorldPay Module problem. This is my understanding of what the problem is. The Callback page is not actually displayed from the Zencart host server but from the WorldPay server. WorldPay somehow take the content of the Callback page from the merchant's site and display it from within their own site as witnessed by the URL of the callback page

https://select.worldpay.com/wcc/purchase

As currently configured the link to the Merchant's site is non-secure ie http://www.mysite.com/.... This is what is causing the "insecure items on page" message although why it should only be IE7 that is picking this up I have no idea.

The reason for this goes way back to when the OS Commerce WorldPay Module was originally ported across to ZenCart. OSC at that time were not too hot on security - the main reason I chose Zencart rather than OSC. No one (including me) has picked up on this legacy issue since.

The solution is pretty simple. Just two changes to make as follows:

1. Edit includes/modules/payment/worldpay.php

Find:

Code:

$callback_url = zen_href_link(FILENAME_WPCALLBACK, $zenId);

at around line 128. Change this to:

Code:

$callback_url = zen_href_link(FILENAME_WPCALLBACK, $zenId, 'SSL');

Save the edited file to your server.

2. Login to your WorldPay account

Click 'Configuration Options' for your Select Junior installation.

Find the 'Callback URL' field and change the entry from:

Code:

http://<wpdisplay item="MC_callback">

to:

Code:

https://<wpdisplay item="MC_callback">

Click 'Save Changes'

That's it. Pretty obvious really when you think about it!

Let me know if this works for you.

Regards,

Alan

[CES]

Alan

Did not realise this problem might apply to me. I will ckeck it out on IE7 at home later.

My question is:

I do not have SSL on my site (at the moment - next thing to do after my upgade to 1.3.6). Will this solution work for me too even though I do no not have https?

Craig

[duncanad]

Craig,

You should treat installing SSL on your site as a matter of priority. Although you do not collect credit card details via your website you do collect and store customer personal details and these are being transmitted across the internet insecurely. Ask your host if they have a shared SSL certificate you can use if you don't want to invest in a certificate of your own.

To answer your question I think you will find that you will get the same response from IE7 as Hamish and I have experienced. Making the change to your includes/modules/payment/worldpay.php file will not make any difference since the 'zen_href_link()' will only return an 'HTTPS://' URL if your configuration file has SSL enabled. Making the change now, while you remember, will make ready your WorldPay module for when you have SSL set up on your site. Of course you should only make the change to the 'Callback Url' in your WorldPay account configuration once SSL is enabled on your site.

Hope this helps.

Regards,

Alan

[CES]

Thanks Alan

I shall make SSL a priority and make the changes you suggest then.

Thanks for your time on this.

Craig

[duncanad]

My apologies everyone. There is an omission in my post #85 above. There is one further change required to the includes/modules/payment/worldpay.php file.

At line 129 change this:

Code:

$worldpay_callback = explode('http://', $callback_url);

to this:

Code:

$worldpay_callback = explode('https://', $callback_url);

If you don't include this change the callback will fail.

Sorry about any confusion caused by this. If anyone knows of a way for me to edit my original post to prevent further confusion could they let me know.

Craig (and anyone else who has not got SSL set up yet),

You should NOT make any of these changes until you have SSL set up on your site.

Regards,

Alan

[CES]

Thanks again Alan.

Thought I would let you know that I've got SSL set up now :)
piece of cake really.

Although I find it strange the admin side is not 'secure' once you have logged in but I understand that will be in a future release.

I shall make the changes you suggest above.

Craig