[ic] Secure vs non-secure pages

Bob Puff@NLE bob@nleaudio.com
Mon, 02 Apr 2001 23:46:57 -0400

Hi Gang,

I just noticed some oddities tonight while playing with my interchange server.

When proceeding to checkout, it switches to the secure server URL, and 
(fingers crossed) the shopping cart contents are still there.  (It 
displays process.html.)  Now if a user clicks on one of the check boxes 
to remove an item from his cart, it goes to a non-secure page (still 
process.html), and the browser gives off a warning.

I'm also seeing similar stuff when someone applies for an account.  

If I add "process" to the AlwaysSecure line in my catalog.cfg, then when 
someone goes to order something, it goes in and out of the secure server 
quickly, the browser generates a dialog box saying that I am requesting 
an insecure document, and the cart contents are dropped.  (I still see 
the proper session id on the URL though.)

Hmm, I just played some more, and now when it goes to the secure server,
it is dropping the cart contents, even though the session ID is there in
the URL.

MORE INTERESTING INFO: in looking at my logs, I see the following:

20010402        62RFIem8:64.65.206        986268859
20010402        62RFIem8:64.65.206        986268873
20010402        7JCVMN5N:64.65.206        986268898
20010402        7JCVMN5N:64.65.206        986268903
20010402        7JCVMN5N:64.65.206        986268909
20010402        7JCVMN5N:64.65.206        986268916
20010402        7JCVMN5N:64.65.206        986268922
        ADDITEM=99993,Mobile Floor Stand Model&ADDITEM=18003,50W 4700K/36 Degree
20010402        7JCVMN5N:64.65.206        986268931
20010402        62RFIem8:64.65.206        986268940

It appears that when I went to checkout, it picked up a session ID from 
my last visit, even though the URL plainly has the secure server URL 
with the 7JCVMN5N sesion ID.  Could it be that a cookie is over-ruling 
the session ID?

It seems that when I play with this once, it works fine.  If I go to do 
something else afterward, Interchange does weird stuff, like dropping my 
cart.  I would imagine this is going to happen to customers.  I do have
a SessionExpire  20 minutes in my config.