Unencrypted connection, please help

[subtleinstrument]

Every thing I change to fix one problem seems to create another one.

Now that I've got the HTTP vs HTTPS problem sorted out, I found out that our checkout pages aren't secure.

When we sign in to OSCMax Admin, we get a message that says,

\"Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection, and could easily be ready be a third party. Are you sure you want to continue sending this information?\"

If we log in, we get the OSCMax admin panel, but we have no \"secure connection\" in our browser, and the OSCMax admin page includes the message \"You are not protected by a secure SSL connection.\"

Even worse:

When people on our OSCMax shopping cart try to check out (or do anything else that sends them to an HTTPS page), we get a "Warning: contains unauthenticated content" message from Firefox.

The page info says:

"Connection Partially Encrypted
"Parts of the page you are viewing were not encrypted before being transmitted over the Internet.
"Information send over the Internet without encryption can be seen by other people while it is in transit."

This is going to make our customers doubt our security.

Here's Includes/configure.php

PHP Code:

  define('HTTP_SERVER', 'http://www.artofloving.ca'); // eg, http://localhost - should not be empty for productive servers
//  define('HTTP_SERVER', 'https://www.artofloving.ca'); // eg, http://localhost - should not be empty for productive servers
  define('HTTPS_SERVER', 'https://www.artofloving.ca/'); // eg, https://localhost - should not be empty for productive servers
//  define('HTTPS_SERVER', 'https://www.artofloving.ca'); // eg, https://localhost - should not be empty for productive servers
  define('ENABLE_SSL', true); // secure webserver for checkout procedure?
//  define('HTTP_COOKIE_DOMAIN', 'http://www.artofloving.ca');
//  define('HTTP_COOKIE_DOMAIN', 'https://www.artofloving.ca');
//  define('HTTPS_COOKIE_DOMAIN', 'https://www.artofloving.ca');
//  define('HTTPS_COOKIE_DOMAIN', 'https://www.artofloving.ca/');
  define('HTTP_COOKIE_DOMAIN', 'www.artofloving.ca');
  define('HTTPS_COOKIE_DOMAIN', 'www.artofloving.ca');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '');
//  define('HTTPS_COOKIE_PATH', '/');
  define('DIR_WS_HTTP_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '');
//  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); 


and here's Admin/Includes/configure.php

PHP Code:

 define('HTTP_SERVER', 'http://www.artofloving.ca'); // eg, http://localhost - should not be empty for productive servers
  define('HTTP_CATALOG_SERVER', 'http://www.artofloving.ca');
  define('HTTPS_CATALOG_SERVER', 'https://www.artofloving.ca/'); // needs a trailing "/" ?
  define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module
  define('DIR_FS_DOCUMENT_ROOT', 'D:/home/shw3_005/artofloving.ca/public_html/'); // where the pages are located on the server
  define('DIR_WS_ADMIN', '/admin/'); // absolute path required
  define('DIR_FS_ADMIN', 'D:/home/shw3_005/artofloving.ca/public_html/admin/'); // absolute pate required
  define('DIR_WS_CATALOG', '/'); // absolute path required
  define('DIR_FS_CATALOG', 'D:/home/shw3_005/artofloving.ca/public_html/'); // absolute path required
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
  define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
  define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
  define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');
  define('DIR_FCKEDITOR', DIR_FS_CATALOG . 'FCKeditor/');
  define('DIR_WS_FCKEDITOR', DIR_WS_CATALOG . 'FCKeditor/'); 


Please help. Thanks in advance.

[michael_s]

1. You have to change the configure.php for your admin panel to use ssl.

change this:

PHP Code:

define('HTTP_SERVER', 'http://www.artofloving.ca'); 


to this:

PHP Code:

define('HTTP_SERVER', 'https://www.artofloving.ca'); 


That will get your admin panel using ssl.

Quote:

When people on our OSCMax shopping cart try to check out (or do anything else that sends them to an HTTPS page), we get a "Warning: contains unauthenticated content" message from Firefox.

This means you are calling images or javascript with a hardcoded url. You need to use a relative path to all your image. It will be in your customization, not the default code. So, any graphics or javascript you added need to use relative paths and NOT full urls.

[subtleinstrument]

Quote:

Originally Posted by michael_s

1. You have to change the configure.php for your admin panel to use ssl.

change this:

PHP Code:

define('HTTP_SERVER', 'http://www.artofloving.ca'); 


to this:

PHP Code:

define('HTTP_SERVER', 'https://www.artofloving.ca'); 


That will get your admin panel using ssl.

That worked great. Thank you!

Quote:

Originally Posted by michael_s

This means you are calling images or javascript with a hardcoded url. You need to use a relative path to all your image. It will be in your customization, not the default code. So, any graphics or javascript you added need to use relative paths and NOT full urls.

We're still having problems with that. We haven't done anything to DIR_WS_IMAGES or DIR_WS_ICONS, and this problem didn't exist before we started fiddling with HTTP_SERVER and the like.

[michael_s]

Can you send me a url to the page popping the error?

[subtleinstrument]

Go to Loading...

Select anything, put it in the shopping cart and try to check out. You'll get a "Welcome, please sign in" page (https://www.artofloving.ca/login.php), which is an HTTPS page, but Firefox displays a padlock with a red slash through it in the lower right corner. The warning is "Content Partially Encrypted"

If you log in, you get the checkout procedure pages, but they're insecure HTTP pages, not HTTPS.

[subtleinstrument]

After considerable headbanging, I and our tech consultant figured out what needed to be changed so that the checkout pages stopped giving "partial encryption" warning messages.

Actually, the solution wasn't in either of the configure.php files, but in /includes/application_top.php The problem was that the graphics and other files the https page was calling weren't secure, so the browser gave insecure warnings.

comment out

PHP Code:

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; 


and replace with

PHP Code:

$request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'SSL' : 'NONSSL'; 


That apparently made everything work the way it should.

This may have had something to do with our hosting service upgrading to a new version of PHP a couple of weeks ago.

[michael_s]

Beat me to it! Different servers report ssl differently, and this is what you are running up against. There is no standard response string, and if osCMax doesn't get what it is expecting, you get no switch for your images.

Glad you found it!