[ic] Secure vs non-secure pages

Bob Puff@NLE bob@nleaudio.com
Mon, 02 Apr 2001 23:46:57 -0400


Hi Gang,

I just noticed some oddities tonight while playing with my interchange server.

When proceeding to checkout, it switches to the secure server URL, and 
(fingers crossed) the shopping cart contents are still there.  (It 
displays process.html.)  Now if a user clicks on one of the check boxes 
to remove an item from his cart, it goes to a non-secure page (still 
process.html), and the browser gives off a warning.

I'm also seeing similar stuff when someone applies for an account.  

If I add "process" to the AlwaysSecure line in my catalog.cfg, then when 
someone goes to order something, it goes in and out of the secure server 
quickly, the browser generates a dialog box saying that I am requesting 
an insecure document, and the cart contents are dropped.  (I still see 
the proper session id on the URL though.)

Hmm, I just played some more, and now when it goes to the secure server,
it is dropping the cart contents, even though the session ID is there in
the URL.

MORE INTERESTING INFO: in looking at my logs, I see the following:

20010402        62RFIem8:64.65.206              64.65.206.24    986268859
        VIEWPAGE=ord/basket
20010402        62RFIem8:64.65.206              64.65.206.24    986268873
        VIEWPAGE=ord/basket
20010402        7JCVMN5N:64.65.206              64.65.206.24    986268898
        VIEWPAGE=index
20010402        7JCVMN5N:64.65.206              64.65.206.24    986268903
        VIEWPAGE=soluxbulbs
20010402        7JCVMN5N:64.65.206              64.65.206.24    986268909
        VIEWPAGE=tasklamps
20010402        7JCVMN5N:64.65.206              64.65.206.24    986268916
        VIEWPAGE=99993
20010402        7JCVMN5N:64.65.206              64.65.206.24    986268922
        ADDITEM=99993,Mobile Floor Stand Model&ADDITEM=18003,50W 4700K/36 Degree
 "Flood"&VIEWPAGE=ord/basket
20010402        7JCVMN5N:64.65.206              64.65.206.24    986268931
        VIEWPAGE=ord/basket
20010402        62RFIem8:64.65.206              64.65.206.24    986268940
        VIEWPAGE=ord/checkout 

It appears that when I went to checkout, it picked up a session ID from 
my last visit, even though the URL plainly has the secure server URL 
with the 7JCVMN5N sesion ID.  Could it be that a cookie is over-ruling 
the session ID?

It seems that when I play with this once, it works fine.  If I go to do 
something else afterward, Interchange does weird stuff, like dropping my 
cart.  I would imagine this is going to happen to customers.  I do have
a SessionExpire  20 minutes in my config.

Ideas?

Bob