[ic] ssl submission at button level (not form level)?

Ron Phipps interchange-users@interchange.redhat.com
Mon Sep 3 16:16:01 2001


> -----Original Message-----
> From: interchange-users-admin@interchange.redhat.com
[mailto:interchange-
> users-admin@interchange.redhat.com] On Behalf Of Mike Heins
> Quoting Richard Seymour (rseymour@anarchysoftware.com):
> > I don't know if this is possible. Maybe someone here has some ideas.
> >
> > User is at a form in non-secure mode and hits a "complete
transaction"
> > button on a form which has a "action=[process-order secure=1]" tag.
All
> > is well (the user goes to an ssl page to continue). BUT if I want
the
> > user to hit a button labled "continue shopping" on the same form,
the
> > user should be directed back to the general order page (or
wherever),
> > but NOT via ssl. What I'm getting is the user goes to the shopping
page
> > (good) but with an "https://" based URL (bad).
> >
> > I could move the "continue shopping" button to a link outside the
form,
> > or another form. But is there a way to do this with just one form.
That
> > is something like (I know this syntax doesn't work, but...):
> >
> > [set complete transaction]
> > mv_todo=return
> > mv_nextpage=ord/payments
> > mv_secure=Yes! Make this secure. Do it!
> > [/set]
> >
> > [set continue shopping]
> > mv_todo=return
> > mv_nextpage=somewhere
> > mv_secure=Nope! I don't want this to be secure, not at all, thanks!
> > [/set]
> 
> Nope -- not possible. Remember that the URL the action is sent
> to is determined by the browser before it is posted, not Interchange
> after it is received at that URL.

I saw this same situation where non-ssl forms would be served in https
mode from the basket page.  So what we did was left the form submission
to be non-ssl for the basket page then on the checkout page we put at
the top:

<script language="JavaScript">
<!--
if (document.location.protocol == "http:") {
	
window.location="https://www.yourserver.com/cgi-bin/store/ord/checkout.h
tml";
}
-->
</script>

So if the checkout page was referenced in non-ssl mode we force the
browser to redirect to the secure page.  I'm not sure if this will work
for everyone's setup, but it seemed to fix our issues with this
situation.

Maybe a fix in IC would be to check the AlwaysSecure tag and instead of
bouncing to a page that says the page must be served in secure mode, it
should bounce to the page requested, except in ssl mode?

> The only thing to be done is to use JavaScript to change the
> action of the form when the button is clicked. That is typically
> possible with <input type=submit> but not <input type=image>.

We found the same that it would not work in Netscape due to input
type=image not being valid in the spec NS is based on.  So we used
images surrounded by links and used the onClick event of the link to set
some form variables and submit the form.

Good luck,
-Ron