Account Options Nav Block not secure

[Stephen Tell]

Hi,

I noticed that the Username/Password nav block on our store does not seem to be secure. Once a user does login it appears that the connection becomes secure.

I also notice that the Account Options links once logged in are secure accept for "Order History"

Does this have something to do with relative links vs absolute? I remember there was a problem with Internet Explorer exclaiming that parts of our page was not secure, I am guessing the head frame that is on all our pages. Any suggestions?

www.radhaz.com

version 2.6.5

[Jamie]

I noticed that the Username/Password nav block on our store does not seem to be secure. Once a user does login it appears that the connection becomes secure.

The account options nav block form on this page posts to a secure URL:
http://www.radhaz.com/store.php

I'm not sure what you mean by it not being secure. The data being sent in the form is sent with SSL encryption.

I also notice that the Account Options links once logged in are secure accept for "Order History"

Why would you want the order history page to be secure? There is no sensitive data on that page, and no forms post sensitive data to that page.

Does this have something to do with relative links vs absolute?

I couldn't say, as I don't know what the actual problem that you are reporting is. I don't see any evidence to indicate that the account options form is not posting to a secure URL.

[Stephen Tell]

Hi Jaime,

Thank you for the reply. I was concerned that the connection was unsecure because my browser did not show a padlock for the page that the login is located, indicating that it was not connected via SSL.

How does the login work? I have always been told that you should never login to a site that does not show the padlock in the browser as the username/password can be captured.

Steve

[Jamie]

SSL is used to encrypt communication between your browser, and the web server. That communication happens when you submit the form. The form is being sent to a secure URL, so SSL is being used.

The presence of a login form does not require that it be presented to your browser via a request for a secure page, because there is nothing secure about the form itself. The only way to ensure your browser shows a padlock would be to encrypt the page that the form is on. The form is on every store page, so you would then have to use SSL for every page load. The information you would then be encrypting by doing that is the word "Username", the word "Password" and the HTML needed to generate the form.

The alternative would be to give your customers an extra unnecessary step to click a link to take them to a separate login page via a secure URL.

The only thing that needs to be encrypted is the actual data being entered, and that data is being sent to a secure page.