[ic] Secure vs non-secure pages
Mon, 02 Apr 2001 23:46:57 -0400
I just noticed some oddities tonight while playing with my interchange server.
When proceeding to checkout, it switches to the secure server URL, and
(fingers crossed) the shopping cart contents are still there. (It
displays process.html.) Now if a user clicks on one of the check boxes
to remove an item from his cart, it goes to a non-secure page (still
process.html), and the browser gives off a warning.
I'm also seeing similar stuff when someone applies for an account.
If I add "process" to the AlwaysSecure line in my catalog.cfg, then when
someone goes to order something, it goes in and out of the secure server
quickly, the browser generates a dialog box saying that I am requesting
an insecure document, and the cart contents are dropped. (I still see
the proper session id on the URL though.)
Hmm, I just played some more, and now when it goes to the secure server,
it is dropping the cart contents, even though the session ID is there in
MORE INTERESTING INFO: in looking at my logs, I see the following:
20010402 62RFIem8:64.65.206 126.96.36.199 986268859
20010402 62RFIem8:64.65.206 188.8.131.52 986268873
20010402 7JCVMN5N:64.65.206 184.108.40.206 986268898
20010402 7JCVMN5N:64.65.206 220.127.116.11 986268903
20010402 7JCVMN5N:64.65.206 18.104.22.168 986268909
20010402 7JCVMN5N:64.65.206 22.214.171.124 986268916
20010402 7JCVMN5N:64.65.206 126.96.36.199 986268922
ADDITEM=99993,Mobile Floor Stand Model&ADDITEM=18003,50W 4700K/36 Degree
20010402 7JCVMN5N:64.65.206 188.8.131.52 986268931
20010402 62RFIem8:64.65.206 184.108.40.206 986268940
It appears that when I went to checkout, it picked up a session ID from
my last visit, even though the URL plainly has the secure server URL
with the 7JCVMN5N sesion ID. Could it be that a cookie is over-ruling
the session ID?
It seems that when I play with this once, it works fine. If I go to do
something else afterward, Interchange does weird stuff, like dropping my
cart. I would imagine this is going to happen to customers. I do have
a SessionExpire 20 minutes in my config.