Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

nonsecure links (http) while magento runs secure (https)
 
chillzz
Jr. Member
 
Total Posts:  5
Joined:  2009-04-02
Netherlands
 

I have found a problem (bug?) in magento 1.3.1.

we’ve setup multiple websites/shops in the magento environment, both nonsecure and secure should work.
and it does, when the website is visited with the http protocol it works like a charm,
however when it is visited with the https secure protocol i see some glitches.

MyAccount and Login links are showed as https://
My Wishlist, Cart, Checkout all CMS links and all category links are showed as http://

Setup in the magento admin :

for Unsecure BaseUrl ofcourse the http://

{{unsecure_base_url}}
{{unsecure_base_url}}skin/
{{unsecure_base_url}}media/
{{unsecure_base_url}}js/

for Secure BaseUrl ofcourse the https://

{{secure_base_url}}
{{secure_base_url}}skin/
{{secure_base_url}}media/
{{secure_base_url}}js/

use safe urls for frontend : yes

Magento reads the secure skin/ media/ and js/ perfectly because the layout works like a charm, but why doesn’t it give the appropriate links for the above mentioned links ?

setting the unsecure_base_url to https:// isn’t an option, since it has to serve both secure and non secure.

what to do ?

greetingz ChillZZ

 
Magento Community Magento Community
Magento Community
Magento Community
 
dcorrell
Jr. Member
 
Total Posts:  21
Joined:  2008-07-28
 

Thanks Chill,
I too am having this issue, and I’m not sure what the problem is!  I’ve been searching around to no avail. If anyone has any ideas, please let us know!

Magento ver. 1.3.1

 
Magento Community Magento Community
Magento Community
Magento Community
 
Rich Cleverley
Sr. Member
 
Avatar
Total Posts:  285
Joined:  2009-01-20
 

I ‘ve been looking at this after you mentioned it.

My Account seems to be an https link which is good.  Checkout is a weird one as the link itself is plain http but when you go to checkout (presuming you have items in your basket) then it does actually go to a secure page.  Presumably it just checks when you actually enter the page and it redirects accordingly.

We had a chat yesterday here at work and came to the conclusion that things like the catalogue etc. are probably best served up as plain http rather than https as they are not dealing with anything that really needs to be secure.  The overhead of having these running secure doesn’t seem to be worth taking so we are happy with it that way.

 
Magento Community Magento Community
Magento Community
Magento Community
 
chillzz
Jr. Member
 
Total Posts:  5
Joined:  2009-04-02
Netherlands
 

things like the catalogue etc. are probably best served up as plain http rather than https as they are not dealing with anything that really needs to be secure.  The overhead of having these running secure doesn’t seem to be worth taking so we are happy with it that way.

I agree on that, but:
- Consistency: when you pick https it should be https all over, not a mix

- Setting “use safe urls for frontend : yes”, why is this included then, since it has no use whatsoever

- It might scare of users if they are bumped from secure to non secure and vice versa,

we are talking about customers who are willing to order and leave their personal info at an e-commerce website.
Although the personal data and payments are secure, its just looks really strange and might scare them off, since its setup like that.

 
Magento Community Magento Community
Magento Community
Magento Community
 
VHA
Member
 
Total Posts:  41
Joined:  2008-06-21
Atlanta
 

I agree with chillzz, I have a Confirmation Payment module(based on Contacts module),which the customer will send some bank information that needs to be a secure connection.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Rich Cleverley
Sr. Member
 
Avatar
Total Posts:  285
Joined:  2009-01-20
 

Since yesterday I have come to the same conclusion too.  Mainly because I need to have an iframe that processes 3DSecure transactions.  All fine and good if the the transaction is successful as it stays https but if the transaction is a falure it goes back to the cart which in turn should be able to manipulate the parent window.  Of course, because the cart page is plain http the browser security module messes up and won’t allow me to do anything to my https parent window.  Not good!

 
Magento Community Magento Community
Magento Community
Magento Community
 
chillzz
Jr. Member
 
Total Posts:  5
Joined:  2009-04-02
Netherlands
 

iFrame big surprise  bad! wink

well if you have to do it, you have to do it. but rather stay far away from it and use another method ( like redirects or something )

But back on the main issue.
Our company is looking for the option of an Extended Validation SSL certificate ( the green browser bar ) instead of just the padlock.
This is to make people aware of the secure environment.  When it switches back to http, the green bar would be gone. BAD!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Rich Cleverley
Sr. Member
 
Avatar
Total Posts:  285
Joined:  2009-01-20
 
chillzz - 07 May 2009 12:32 PM

iFrame big surprise  bad! wink

well if you have to do it, you have to do it. but rather stay far away from it and use another method ( like redirects or something )

Tell me about it!!  I don’t like the things and would much prefer to not have them.  Unfortunately 3DSecure being what it is, it is far better to have it in an iframe.  The fact that if using redirects, the customer is sent off to a url that has no obvious connection with their card issuer/bank and so gets very nervous about whether they are entering their 3D Secure password into a genuine site or not, is not a good thing but something we have to put up with because of banking rules.

At least with an iframe it has the appearance of staying on your site (although we do inform our customers of what is actually happening to put everyones minds at rest).  Believe me, if we could do it without an iframe we most certainly would!!

But back on the main issue.
Our company is looking for the option of an Extended Validation SSL certificate ( the green browser bar ) instead of just the padlock.
This is to make people aware of the secure environment.  When it switches back to http, the green bar would be gone. BAD!

Afain, this is a public perception issue and I agree that jumping around between secure and unsecure is not something I like (and forget what I mentioned in my first post about the overhead etc.  I’d rather have customers feel safe and actually shop with us than worry about a small amount of overhead).

I’m having a look at the code to see where the decision is made as to what should be secure and what shouldn’t and will post any findings.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top