Security Error when leaving secure "order thanks page" to non-SSL page

Forum Moderators: buckworks

Message Too Old, No Replies

Security Error when leaving secure "order thanks page" to non-SSL page

Jeremy_H

3:34 am on Jun 30, 2006 (gmt 0)

I have my website setup so the user adds items to their cart over a non-secure connection.

I need the user to add items on a non-secure connection since I use image upload previews to show a user-specified local file on their hard drive before they upload it. The user must be using a non-secure connection or they will get a security warning.

Then, once they start the checkout they are switched over to a secure https:// connection.

Once the purchase is complete, they are taken to a "Thanks" page. They are still on the secure connection.

The thing is, if they are in Internet Explorer, if they click a link anywhere on this page they will get a security warning. I need these links to be non-secure in-case they try to make a second purchase, and I don't want them to get an error at that point in the cycle.

Is there anything I can do to prevent this? Should I not have any links on this page? Should I just realize there is nothing I can do about this?

Thanks for any advice.

FalseDawn

4:17 am on Jun 30, 2006 (gmt 0)

There is an option in IE to display a warning when moving from secure to non-secure pages and vice versa (advanced tab, 2nd from bottom on IE6)

If this option is set in the browser, there's not much you can do about it. I think the default is for it to be off, though.

If this isn't the cause of the warning, then you have a configuration issue. Your links aren't trying to do a POST at all, are they?

john_k

4:55 am on Jun 30, 2006 (gmt 0)

they will get a security warning.

Exactly what is the warning message? Does it state that the user is about to be directed to a non-secure page? Or does it state that some items on the page are non-secure?
If it is the former, then FalseDawn is correct, this is due to a browser setting. If the user is getting this, then they are probably used to it since many websites are setup as you describe.
If it is the latter, then it is because you are referencing some images or other resources via http instead of https.

I think the default is for it to be off, though.

The default is that the warning is on. However, there is a "don't ever show me this again" checkbox on it. And most people turn it off after seeing it a few times. After a few days or weeks they forget they ever had it.

Personally, I prefer to leave this setting on. I originally did this because I work on websites that use SSL and I liked having the message as confirmation that we had the links set up correctly (or a red-flag that we didn't have it right). But now I expect it to show up whenever I am entering sensitive information. I used to forget to look for the little padlock. But this message is in your face. I am very aware when it fails to show up and it has helped me to not enter information on non-SSL pages several times.