[thelist] shopping cart - secure or not

Bob Meetin ontheroad at frii.com
Thu Oct 26 16:38:34 CDT 2006


Lee - I think you got it!  I downloaded that program, tested.  -If- I am 
interpreting this correctly, then "Location: 
http://www.example.com/shop/cart.php" is the culprit.  Yes?.

This leaves me at "Is this a problem which is owned by the company that 
manufactures the product?"  There is no control panel configuration to 
change the behavior.  Might another workaround be to set up redirection 
such that the cart et all are forced to go through https?

-Bob

--------------------------------------------

POST /shop/secure/login.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/vnd.ms-excel, application/vnd.ms-powerpoint, 
application/msword, application/x-shockwave-flash, */*
Referer: 
https://www.example.com/shop/secure/login.php?m=client_login
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.example.com
Content-Length: 74
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: digiSHOPID=daf90dfb8bb42a9e358a1ff2152f70c2

submit=true&m=client_login&go=&cEmail1=bobmeetin at frii.com&cPass1=whatever

HTTP/1.1 302 Found
Date: Thu, 26 Oct 2006 21:15:36 GMT
Server: Apache/1.3.33 (Unix) mod_log_bytes/0.3 FrontPage/5.0.2.2635 
PHP/4.4.1 mod_ssl/2.8.22 OpenSSL/0.9.7g
X-Powered-By: PHP/4.4.1
Set-Cookie: customerID=5616654ebf40add1040c1d7e53e675b7
Location: 
http://www.example.com/shop/cart.php?h=1&customerID=5616654ebf40add1040c1d7e53e675b7&go=https://www.example.com/shop/secure/account.php
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
-------------------------------------------------------------------------

Lee kowalkowski wrote:
> On 25/10/06, Bob Meetin <ontheroad at frii.com> wrote:
> Your error message is subtly different from the "warn if changing
> between secure and not secure mode".  Your error message is for
> redirection, there are no options in IE to disable that, but there is
> a registry setting: http://support.microsoft.com/kb/883740
>
> The message can be avoided by not switching protocols in a redirect
> (or avoiding the redirect in the first place, but redirects are
> commonly used for interrupt/just-in-time authentication).  Redirection
> of POSTs
> isn't neat, browsers typically obey, but the HTTP/1.1 specification
> says they shouldn't without giving the user the opportunity to
> confirm.
>
>   
>> It seems erroneous in that both
>> the login page and the next page are both secure, https.
>>     
>
> Those are the origin and the destination pages, but are there any
> redirect responses in-between?  It could be double-redirecting.
> You'll have to use something like IEHTTPHeaders
> (http://www.blunck.info/iehttpheaders.html) to make certain.
>
>   





More information about the thelist mailing list