Apr 18 2009

SSL Security Warnings and osCommerce

0

firefox_ssl_lockNon secure elements within an encrypted page will cause SSL security warnings such as “This page has both secure and insecure items” or “Connection Partially Encrypted. Parts of the page you are viewing were not encrypted before being transmitted over the Internet.” Making proper use of the tep_href_link() and tep_image() functions will fix the “mixed” content problem.



This is an example of mixed content that would cause a security warning:

1
2
3
4
5
<div id="content">
 <img src="http://www.myserver.com/images/mypic.jpg" alt="Not Encrypted" />
 <img src="https://www.myserver.com/images/mypic.jpg" alt="Encrypted" />
 <img src="http://www.anotherserver.com/images/mypic.jpg" alt"Hotlink" />
</div>

You will notice that in the example above the first two images are similar except for one crucial character, an “s” after http. Encrypted content should always reflect the https protocol. Another example are hotlinks for images that do not reside on your server, that is because your SSL applies only to your domain name.

The best way to resolve SSL security warnings caused by hotlinks to external images is to ask the owner of the image for permission to download it to your own images directory under the encrypted domain.



To reference an image in osCommerece use the tep_image() function as follows:

1
2
3
4
5
// The HTML image wrapper function has the following parameters
 function tep_image($src, $alt = '', $width = '', $height = '', $parameters = '')
 
 // Example
 echo tep_image(DIR_WS_IMAGES, "mypic.jpg", "My ALT text", 100, 100);



To hyperlink your images use the tep_href_link() function as follows:

1
2
3
4
5
6
7
8
// The HTML href link wrapper function has the following parameters
 function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL')

 // Example
 echo '<a href="' .tep_href_link("my_page.php") .'" title="My Link">' .tep_image(DIR_WS_IMAGES, "mypic.jpg", "My ALT text", 100, 100) ."</a>";

 // Explicit use of SSL
 echo '<a href="' .tep_href_link("my_page", "SSL") .'" title="Link to HTTPS">' .tep_image(DIR_WS_IMAGES, "mypic.jpg", "My ALT text", 100, 100) ."</a>";



In the case of shopping cart transactions users expect their personal and credit card information to always be encrypted properly. If your website is displaying security warnings people might decide not to do business with you.

Apr 18th by Hektor