Using GeoTrust SSL Digital Certificate

[talbot649]

Hi there,

 

I manage 3 oscommerce stores currently, and all three have SSL digital certificates working with them.

 

On all sites I received the 'this page contains both secure and nonsecure items' warning, and managed to correct it on one site by tinkering with the Google Analytics code. I have also confirmed that no images on the pages are linking via a long http://... path, just '/images/example.jpg'

 

The other two sites however, still display the warning, despite having the correct Analytics code. It's no coincidence, I'm sure, that these two sites have the GeoTrust Digital Certificate and the third one (which works fine) does not.

 

On GeoTrust's website they mention the following:

 

"Cause

 

This error message occurs if you are using nonsecure Frames, which usually reside on a nonsecure http directory on your server. So an HTTPS session will not show the lock with the unsecured frames even though the page is secure(its a bug in the browsers).

Resolution

 

In order to resolve your problem please perform the steps below:

 

Please make sure that you are accessing your frame (if frames are being used) via HTTPS. The padlock will not display if you reference the frame using non-secure HTTP as the browser checks to make sure that all the contents displayed on the page come from a secure location.

 

If you want the padlock displayed on your secure page you can choose not to use frames or source the frames from the domains main directory on your server. Also check that any images or banners are being sourced from your secure directory as they are usually sourced from a non-secure http sub directory. Once this has been done you will be able to reference all your pages through https without the warning prompt."

 

I'm very much a beginner with php and was wondering if anyone could shed any light on how to do what GeoTrust suggest?

[germ]

You get the non-secure pop-up if you have scripts or images from HTTP sources.

 

Another place to look is hard coded HTTP links to images in the stylesheet.

 

Those are SSL killers, too.

;)

 

If you can't find the problem, you can post or PM me the URLs and I'll take a peek if you like.

[talbot649]

Thanks,

 

I've scoured the files for any http:// reference and there is only one (as far as I can tell) on the Google checkout return page, and as the problems occur right back at the Create an Account section I wouldn't have thought this one would be the problem?

 

The URLs are:

 

http://www.hor-i-zon.com/catalog/ - no warning message

http://www.propertysupplies.co.uk/

http://www.basecanvasprints.com/catalog/

 

I really appreciate your offer of help

[germ]

It has nothing to do with images.

 

Look at the HTML source on a "secure" page for the sites that don't work, specifically this line in the <HEAD> section:

 

<base href="http://blah blah/">

Note that it's still http when it should be https.

 

First, check your /includes/configure.php file, this line:

 

  define('HTTPS_SERVER', 'https://blah-blah.com'); // eg, https://localhost - should not be empty for productive servers

Be sure you have https in your URL.

 

Then, in the same folder where the configure file is there is a FOLDER named local. Sometimes there is a configure.php file in the local FOLDER.

 

If it's there check the define for HTTPS_SERVER in it.

 

If there is no configure file in the local FOLDER that's OK, too. Do't worry about it.

 

The next thing that can cause this is if osC isn't recognizing the cue from the server that SSL is active.

 

That's determined in /includes/application_top.php around line 41.

 

Standard osC code has this:

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

If you're on 1and1 Hosting, this usually works:

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

If it's a Windows server, try this:

 

// set the type of request (secure or not)
 $request_type = ($_SERVER['HTTPS'] == 'on') ? 'SSL' : 'NONSSL';

If neither of those are true for you try this:

 

// set the type of request (secure or not)
$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

Always backup before making any edits.

 

Let me know how things go.

[germ]

bump past a spammer

[talbot649]

Wow - that was amazing!

 

Thank you so much for taking the time to look through this - using the 1and1 suggestion in application_top worked first time!

 

There's a fair few other threads complaining about the 'This page contains both secure and nonsecure items...' warning - try this solution!!!

 

Thanks again.