[SOLVED] SSL and Search form

[lynnetted]

Hi!

 

We enabled SSL on our site and because we don't have a separate domain for secure pages, our whole site is secure. (Not sure about that one - but our whole site is using https)

 

But when we search, we get an error message:

 

"Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

 

Are you sure you want to continue sending this information?"

 

The URL returned to the Search Form by getPageLink begins with http instead of https.

 

The call is in blocksearch_top.tpl about line 30 and looks like: getPageLink('search.php')

 

But the function looks like:

 

public function getPageLink($filename, $ssl = false, $id_lang = NULL)

 

 

So it looks to me like the term for $ssl hasn't been sent in the call. Will it break anything if I replace

the call to getPageLink with getPageLink('search.php',true) ? Should the blocksearch be checking to see if the site is using SSL before sending this query?

 

Thanks!

Lynnette

[Dh42]

Hmm, your site should be using ssl just for the check out pages. Are you forcing ssl on the whole site?

[lynnetted]

Hmm, your site should be using ssl just for the check out pages. Are you forcing ssl on the whole site?

 

 

Thanks for the answer! Yes I am forcing SSL on the whole site. I don't have a separate domain for SSL so I thought this is what I was supposed to do. And I also read that in the near future, all HTTP traffic will be encrypted so I thought maybe PrestaShop was ahead of the game!

 

Is PrestaShop not set up that way?

 

Thanks!

[Dh42]

No, it is only supposed to be on the checkout flow, the account area, and the contact page. You don't want to use ssl over the whole site because it will slow everything down. When you use a ssl connection, it does not use the cache, so everything is reloaded from the website.

[bellini13]

I would just add that it is the merchants choice. I would agree that there is no need to force the customer to SSL for the home page, product/category pages, search page etc... because there is not an exchange of sensitive information between the customer and the server. However there is nothing "wrong" with doing it, with the exception of what DesignHaus42 has already pointed out.

[lynnetted]

DesignHaus42 and bellini13 -

 

Thanks for sharing your knowledge! Heaven knows I can use the help!

 

Am I right to infer that PrestaShop does not anticipate a store owner using SSL over the whole site?

 

Thanks again!

[bellini13]

Am I right to infer that PrestaShop does not anticipate a store owner using SSL over the whole site?

that is correct, and is consistent with other ecommerce sites, like amazon. There is no need to use SSL to exchange non-secure information.

[lynnetted]

Thanks again!

 

How do I mark this topic closed? I've forgotten...

[Mike Kranzler]

Thanks again!

 

How do I mark this topic closed? I've forgotten...

 

Don't worry, I'll take care of it for you .

 

We're hoping to implement a "Mark as Solved" button in the future, but until then, just edit your first post and click "Use Full Editor."

 

Happy selling!

 

-Mike

[ihkwyh]

Please look up Side Jacking http://en.wikipedia.org/wiki/Session_hijacking before you decide to that

that is correct, and is consistent with other ecommerce sites, like amazon. There is no need to use SSL to exchange non-secure information.

Please note (from Prevention methods in wiki link) "Encryption of the data traffic passed between the parties; in particular the session key, though ideally all traffic for the entire session^[4] by using SSL/TLS. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack." , also amazon allows users to force ssl independently much like every site that is not soley going with ssl ports nowadays.

[bellini13]

as I said, "the exchange of non-secure information". the existence of a session cookie would be excluded since that conveys "secure" information.

[Dh42]

Actually, this does a lot to mitigate the risk http://screencast.com/t/F0GT9KRRY

[ihkwyh]

as I said, "the exchange of non-secure information". the existence of a session cookie would be excluded since that conveys "secure" information.

without a session cookie being passed between sockets wouldn't my cart be completely empty after switching from http to https

[ihkwyh]

Actually, this does a lot to mitigate the risk http://screencast.com/t/F0GT9KRRY

Please tell me where to find that in prestashop 1.5.2, so I can verify that it is active!

[Dh42]

That screenshot is from 1.4.9, but I would look under preferences on the main page, that is where it is in 1.4 series.