468,316 Members | 2,029 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,316 developers. It's quick & easy.

Need some advice...

Hi everyone,

For the past four months I've been working on a retail website. Built it from scratch, including the shopping cart, which uses a mySQL database indexed by session id. All the pages in the site are php. Everything was running smoothly, until I installed the credit card payment code.

I opened a merchant account with Linkpoint and they supplied the gateway. I didn't like the Firefox "your data is unencrypted" warning messages the user got when clicking the 'submit payment' button (didn't get the message on I.E. for some reason), so I bought and installed an SSL certificate from Verisign. Here's where the problems began...

I had to make the payment page secure, so all links pointing to it were changed from http: to https: (I just assumed this is how to make the site secure?) This wreaked havoc with the shopping cart, because I soon learned, much to my dismay, that switching from an unsecured to a secured page starts a whole new session... thereby generating a whole new session id. So I then made the entire shopping cart secure, along with all the php pages relevant to it. Half the site is now http, half is https.

But because almost all the pages in my site are based upon a template, there are certain link references in the template (to the background image, for example) that are not secure. This triggers a beautiful new I.E. warning message: "This page contains both secure and non-secure items. Do you want to display the non-secure items?" whenever the user goes from the non-secure to the secure part of the site. (Ironically, this message doesn't happen in Firefox).

Obviously these warnings can be turned off in the browser settings, but I don't want potential buyers coming to my site to get spooked. I need the warnings not to show up at all.

At this point I am considering making the entire site secure. A few questions:

1) Is this a good idea? Are there any other options?

2) Is this as easy as just changing all links/references to the site from http: to https: or is there more to it than that?

2) If the user googles my website and arrives at the index page, they're getting to an http: url instead of an https: one. Does the www.mywebsite.com/index.php page exist in both the http: and https: world? (I know that question sounds stupid...) and how do I direct them to the https: page to start off?

3) The template code relating to the background image for example:

Expand|Select|Wrap|Line Numbers
  1. body {
  2.     background-image: url(Images/background7.jpg);
  3. }

If I hardcode the background-image to an absolute link, would I use the https: extension? I'm kinda confused, as this is the first time I'm dealing with secure sites.

Any advice would be appreciated. Thanks in advance!
Jan 5 '08 #1
1 984
It can be confusing. But you're best bet is to try to use relative URLs to get rid of the warning. You want to use as litte https as possible, because its slow and it puts a lot of load on the server. However the form and page the form are submitting to should always be https to reassure the shopper. This page describes it pretty clearly: http://www.aspdeveloper.net/tiki-index.php?page=HTMLTipsSSLNonSecureWarning

The real problem sounds like this session thing. Is it possible to switch to a GET based session when transfering to https? I'm surprised cookie based sessions don't transfer if it is the same domain name and the same server.
Jan 7 '08 #2

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

2 posts views Thread by andyjgw | last post: by
7 posts views Thread by John Paul | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.