SSL When Logging Into Cart

[renwa983]

Hello,

I just noticed when logging into my carts the login goes to ssl instead of non-secure. I have some sites with a shared certificate and some with their own certificate and the same behaviour occurs on all:

If logged out, and I fill in my user name and password and then click Login, the cart goes secure (https). I can change the cart to non-secure (http), but when I log out it again logs out secure.

I am using 2.4.5, and the only patch that seemed to apply to this behaviour was fixed in this version of the cart. I never noticed this as a behaviour of the cart before, so perhaps I missed a setting or something, but I only want the user to go secure on those pages requiring transmittal of secure information (i.e. during checkout). Any suggestions on how I might correct this?

Thanks

[dougvan]

I have just gone live with our store -- www.midwestvolleyball.com -- and am experiencing this problem as well.

Were you able to resove the problem? If not, does anyone have any advice on how to prevent the store pages from operating in SSL mode after clicking the "login" button?

[dougvan]

Okay, so I am talking out loud right now...

login.php has the following two lines:

$Account_Details_URL = $SC['secure_cart_page'].'?acct=1'.SID_URL_SSL;
$Logout_URL = $SC['secure_cart_page'].'?logout=1'.SID_URL;

It is unclear to me why the logout URL needs to be directed to the SSL domain. But another oddity is that SID_URL_SSL is used with the "account" line, where as SID_URL is used on the "logout" line. I don't know if that was meant to be, or not.

[dougvan]

Continuing my conversation...

Maybe the inital SSL mode is not so bad after logging in, because most of the links on the page take you back to non-SSL mode, anyway. The exceptions are any "sub-category" links if you include them on your product catalog page (which I do). For some reason, those retain the SSL link! But eventually, the customer will get out of SSL mode...

The "logout" using SSL mode is annoying because once the cart gets back into non-SSL mode, you get the "this page contains both secure and nonsecure items" prompt when you click "logout". I suspect that the "logout" link should not be in SSL mode.

If someone could confirm this, I will change my code in login.php...

[Jamie]

If logged out, and I fill in my user name and password and then click Login, the cart goes secure (https). I can change the cart to non-secure (http), but when I log out it again logs out secure.

I am using 2.4.5, and the only patch that seemed to apply to this behaviour was fixed in this version of the cart. I never noticed this as a behaviour of the cart before, so perhaps I missed a setting or something, but I only want the user to go secure on those pages requiring transmittal of secure information

Usernames and passwords are secure information, which is why they are sent using your secure URL.

I have just gone live with our store -- www.midwestvolleyball.com -- and am experiencing this problem as well.

This isn't a problem. It's designed this way. If you logged a customer in using your regular non secure URL, their username and password are sent in plain text, increasing the chances of that information being intercepted.

It is unclear to me why the logout URL needs to be directed to the SSL domain.

Cookies are specific to domain names. If the customer logged in with "remember me" checked, logging them in using SSL and out using a non SSL URL will cause that cookie to not be updated. That will then cause them to automatically be logged in the minute they try to access your site via SSL even if they just logged out.

The "logout" using SSL mode is annoying because once the cart gets back into non-SSL mode, you get the "this page contains both secure and nonsecure items" prompt when you click "logout".

If you are getting that message, it's not due to anything in Squirrelcart. You probably have custom code (img tags, script tags, etc...) that are referencing non secure URLs.

I suspect that the "logout" link should not be in SSL mode.

No, that's incorrect.

[dougvan]

Thank you, Jamie! That helped me understand what is going on a whole bunch.

My one "nonsecure" item that is causing the "secure and nonsecure" prompt when logging out is SquirrelCarts "Balloon_Img" that is part of the "you have been logged out" message. It seems kind of odd that image is failing to pick up the SSL root domain, but other images, such as the "search" image, pick it up just fine...

[Jamie]

You're welcome. I don't know what's causing that image to not use a secure URL. That's not normal. You would need to open a helpdesk ticket for us to figure that out.

[dougvan]

You're welcome. I don't know what's causing that image to not use a secure URL. That's not normal. You would need to open a helpdesk ticket for us to figure that out.

The same problem exists in your demo store! (demo store 3)

Just login, click "Category Home" to get out off SSL mode, and click "Logout". You'll get the "secure and nonsecure" prompt on the info_balloon.gif...

[Jamie]

The demo is not up to date. It's running version 2.3.0. I tried this on 2.4.6, the version you are listing as yours and it doesn't do that.

[kshipgroup]

I am having this same issue with the info_balloon.gif image causing the SSL error when logging out. Has anyone found a fix or know what file that image is coded in?

Thanks.