How to use SSL properly?

Forum Moderators: buckworks

Message Too Old, No Replies

How to use SSL properly?

to prevent seeing the dreaded IE message

penstaar

7:02 am on Jan 23, 2007 (gmt 0)

Hi there,

We have set up a shopping cart and we collect payment data on a secure page. With this system, the data is then sent to the database which is stored on our regular web server. In order for the data to be sent and the purchase confirmed, we need to therefore switch from https to http as the Thank you page is being displayed.

So on IE with the high security setting, some customers have complained about the message saying "You are about to leave a secure internet connection". It will be possible for others to view information you send."

If a customer hits "No" then the order doesn't go through.

How can we work around this?

Thanks in advance!

ectect

7:46 am on Jan 23, 2007 (gmt 0)

Is it not possible to put the thanks page on the secure server?

Corey Bryant

4:10 pm on Jan 23, 2007 (gmt 0)

Why do you have to post the data to http? Some would say this is not fully secure and might cause problems

-Corey

FalseDawn

6:17 am on Jan 24, 2007 (gmt 0)

I don't think the OP is posting to a non-secure page. The usual process is to have the (secure) "order confirmation" screen post back to itself (which is secure), the same page then validates the transaction before redirecting to a "Thank You" screen.
If the thank you page is not secure, you will get the warning, even though no data is being POSTed.

ectect has given you the correct solution - make the Thank You page secure as well.

artsgraphica

5:14 pm on Jan 25, 2007 (gmt 0)

I agree, putting the thank you page on the secure server would work but remember to also include your images otherwise you get the

'This page contains both secure and unsecure items. Do you want to continue' Message

ag(*)

rocknbil

12:29 am on Jan 26, 2007 (gmt 0)

We have set up a shopping cart and we collect payment data on a secure page. With this system, the data is then sent to the database which is stored on our regular web server. In order for the data to be sent and the purchase confirmed, we need to therefore switch from https to http as the Thank you page is being displayed.

I am presuming you have no control over the secure server itself, or you would have most likely done as mentioned, simply moved the final thank you page, which apparently triggers the order completion, to the secure server.

I am also guessing that the secure payment system will have a notification function somewhere. An example is payPal's IPN (Instant Payment Notification.) What you do is find some variable that will pass-through to the notification. When a payment is made, the notification function notifies a program or link on your site, and the thank you page ceases to be necessary to complete the transaction.

Example:
1. Check out page: "enter your email address, be sure the email address is the same one you will enter when making payment."
2. Data is stored before going to processor (example, payPal.)
3. On secure server, CC info and email address are entered, or preferably, email address is passed through.
4. On payment complete, the notification function (in payPal, IPN) sends a notification to the URL you specify (example, payment-complete.cgi.) payment-complete.cgi verifies the notification, uses the emal address to look up the order, complete the transaction, and send email receipt to the customer and notification to you.

Now, when they return to the thank-you page, it's just an HTML receipt. :-)