Ecommerce shows unsecured items

[ajpaulus65]

Hi All

I have an ecommerce store with Network Solutions and something on the website shows an unsecured item when they go to the shopping cart. I checked all links and they are all secured links. Can anyone help me find the problem since Network Solutions are stumped as well? Go to http://www.gymsupply.com and place something in the cart and then you'll get a message when you check out. What is it? Help!!!


Thanks for your time,
AJ

[amxfan]

Do you mean this?

"Added !Poster, Shawn Johnson Olympic Champion Poster (Qty: 1) to your cart"

Some carts show messages like this due to an exploit that was fixed by adding inventory control to the cart. The exploit allowed people to change the price and quantity of the item before checking out. To stay in PCI compliance some carts had to do this. This is the ONLY message I saw so I'm thinking you mean this one. I did not know NWS had to do this but I do know some others did.

Now you mention Network Solutions. I'm pulling my one site from them due to their shared hosting is NOT PCI compliant. When I signed up with them they told me it was. When I found out that it is not "through a PCI scan" I called sales and talked to 3 different sales people "called 3 times" and all 3 told me that yes shared hosting would meet my needs and yes it is PCI compliant. I called Tech support and they told me no it is not and cannot ever be due to the setup of their servers. I have been with NWS for over a year and they agreed to give me a full refund due to their sales people telling me a lie. I'm am now in the process of moving my site from them. I'm not sure if you're on a shared hosting plan with them or on their e-commerce plan so I thought I would give you a heads up.

[ajpaulus65]

No, the message prompts the viewer that there is an unsecured item on the page and if they want to continue. Depending on what browser you are using, but with firefox, it just gives me a red line over the padlock in the right bottom corner and with others, it prompts them with a message box. Thanks for looking.

[wige]

The following dependencies are not secured on the checkout page:

http://www.gymsupply.com/custompages...r/spacer10.gif
http://www.insidegymnastics.com/cont...n&sd=y&ulist=y

[google junky]

I want to kind of reiterate what "wige" said.
Anything found in the format of an http in an https page will result in a page stating it has unsecure items in it.
There isn't any option but to fix it also.

This is the list of unsecure items from the page I was on:
# http://www.gymsupply.blogspot.com/
# http://www.gymsupply.com/index.asp?PageAction=CARTDETAILS&Page=1
# http://www.insidegymnastics.com/content/show/?a=426&z=1
# http://www.insidegymnastics.com/content/show/?a=430&z=1
# http://www.insidegymnastics.com/content/show/?a=431&z=1
# http://www.insidegymnastics.com/content/show/?a=432&z=1
# http://www.insidegymnastics.com/content/show/?a=433&z=1
# http://www.kipclub.com/


Good Luck,
Google Junky

[ajpaulus65]

Okay, I think I fixed it, but my boss said it still shows on his browser. Can you test for me again?

[google junky]

I checked in IE and Firefox and it looks to be good now.
Congrats!

[ajpaulus65]

In IE, it states that there is a 'done, but with errors on page'.....should I be concerned with this message?

[google junky]

They are script/code errors. No need to worry about it. It is rare to find a page that IE wouldn't complain about. It poses no security problem.
You can fix them if you like by checking at W3C for validation.

[Dubbya]

The "done but with errors on the page" indicates a JavaScript error.

If you view the page source in your browser, you'll find a Javascript error on line 12, right where your Google Urchin code is.

You're using the old version of Google's analytics tracking code.

Here's the new code for a ecommerce site:

Code:

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-xxxxxx-x");
pageTracker._trackPageview();
</script>

More troubleshooting and installation information here:
old code:
How can I confirm that I've entered the tracking code correctly on my pages? - Google Analytics Help Center

New code:
How can I confirm that I've entered the tracking code correctly on my pages? - Google Analytics Help Center

[imvain2]

Quote:

Originally Posted by google junky

I want to kind of reiterate what "wige" said.
Anything found in the format of an http in an https page will result in a page stating it has unsecure items in it.
There isn't any option but to fix it also.

This is the list of unsecure items from the page I was on:
# All Things Gymnastics
# Gymnastics Grips, Gymnastics Mats, Gymnastics Equipment, Gymnastics Apparel- DGS 9.9 - Gymsupply.com
# News | Inside Gymnastics Magazine
# News | Inside Gymnastics Magazine
# News | Inside Gymnastics Magazine
# News | Inside Gymnastics Magazine
# News | Inside Gymnastics Magazine
# Kip Club - DGS 9.9's Affiliate Program


Good Luck,
Google Junky

I just want to clarify to everyone, this isn't exactly true.

Images, scripts, flash, style sheets, yes they have to be pulled through the digital certificate if on the secure page.

However, links do not need to point to a secure area. Like for example, a link to a home page doesn't need to be pushed through the digital certificate.

[puamana]

It simply means that EVERYTHING on the page must be called using a secure server link.

Some carts will allow relative links (.../.../file.txt) but you may need to go through and
change ALL links in the code to secure, and place copies of all images and dependent templates
in a secure directory (depending on how your server is configured).

For example, if you are calling a 'footer template' from your unsecure area of the site,
it would be flagged by the server as an 'unsecure' item on the page. Usually the script
running the cart has secure/unsecure access, as long as you specify in your settings you are
running a secure cart and provide the secure url to the cart.

- Puamana

[imvain2]

Quote:

Originally Posted by puamana

It simply means that EVERYTHING on the page must be called using a secure server link.

Some carts will allow relative links (.../.../file.txt) but you may need to go through and
change ALL links in the code to secure, and place copies of all images and dependent templates
in a secure directory (depending on how your server is configured).

For example, if you are calling a 'footer template' from your unsecure area of the site,
it would be flagged by the server as an 'unsecure' item on the page. Usually the script
running the cart has secure/unsecure access, as long as you specify in your settings you are
running a secure cart and provide the secure url to the cart.

- Puamana

No, NOT everything. For example, a link to the HOME page doesn't need to be pointed to the page in the digital certificate.

Visit 99% of the ecommerce websites and get into the secure environment and the links to the other pages will be unsecure, yet no errors will pop up. Why? because only items that are "included" need to be secure, like images, external script files, css files and flash files.

[Shift4SMS]

Quote:

Originally Posted by google junky

They are script/code errors. No need to worry about it. It is rare to find a page that IE wouldn't complain about. It poses no security problem.
You can fix them if you like by checking at W3C for validation.

I have to STRONGLY disagree here. If IE displays a script error then you have the show scripting errors turned on and it has detected a real script error. Dubbya already pointed out the error. I have it turned on because I do a lot of JS coding. Because I have it turned on, I see these annoying warnings on many sites. For me it throws up a red flag because it indicates sloppy coding: Do I trust this site when they are publishing syntactically incorrect javascript? How confident am I that the server side code is coded any better?

My recommendation is that when you test for IE compatibility, turn on "show script errors" and make sure you don't have any.

[villageloop]

Quote:

Originally Posted by Shift4SMS

I have to STRONGLY disagree here. If IE displays a script error then you have the show scripting errors turned on and it has detected a real script error. Dubbya already pointed out the error. I have it turned on because I do a lot of JS coding. Because I have it turned on, I see these annoying warnings on many sites. For me it throws up a red flag because it indicates sloppy coding: Do I trust this site when they are publishing syntactically incorrect javascript? How confident am I that the server side code is coded any better?

My recommendation is that when you test for IE compatibility, turn on "show script errors" and make sure you don't have any.

I would have to agree with Shift4SMS here.
Find your errors and fix them.
Even if it is not a critical error, it is still an error and would reduce your credibility as a developer in the same way a broken image on your site reduces your credibility as a designer.

[d.vincent]

I am doing my internship at the company Cashtronics and they are used to dealing with security problems on websites. I am sure they can help you out.
you can find the contact on La Solution de paiement en ligne sécurisé par CASHTRONICS

[pixma85]

make sure the links have /productabc.html instead of www.website.com/productabc.html