eCommerce Tycoon

**dsellers** · 03:05 AM

I have some order forms and an affiliate program on my site which need to be on secured pages (Secured Socket Layer). We have a godaddy account and have a secured certificate.

The SSL works great except when there is a link on one of the secured pages that leads to an unsecured page (i.e. on a secured orderform page, a link leading back to our unsecured site homepage). Of course, I'm trying to set it up this way because I want our orderform pages to be secured, but I don't want the rest of our site to be secured.

When there is a secured page, and there is link on this page leading to an unsecured page, when a visitor first arrives on the secured page, the browser gives a nasty message saying the page is only partially encrypted. Of course, this is not good.

So I set out to find a way to link from my orderform back to unsecured pages on my site without getting this nasty error.

By accident, I discovered a weird technique. If the link coming from the orderform goes to a secured page, but this secured page simply has a redirect in it leading to a unsecured page, this seems to prevent the nasty message and allows linking from secured to unsecured pages.

So a visitor arrives at the orderpage, wants to return to homepage, clicks link, is taken to secured page that has simple redirect to the unsecured homepage, and then user arrives on homepage (which is not secure).

Is this technique OK? Will it work on all the browsers? Can it create any problems? Is there another, more correct way I should be doing this? Thanks for any suggestions -

**JeremyMiller** · 01-04-2009, 03:49 AM

You should post the URL. Usually when you get a message that a page contains unsecured items it's because your image URLs on that page are not secured, so changing those will resolve the issue. I'm not aware of any instance where an outbound link from a secured page to a non-secured page has caused that error message.

Now, if you have a form on a secured page, but it submits to a non-secured page, that will rightfully trigger a message as well, but it's a different message than the one you cited.

Hope that helps.

**dsellers** · 01-04-2009, 04:14 AM

Thanks for the reply. All the the images are set up with paths (no urls).

For example: <img src="/images/picture1.gif" width="125" height="34"/>

That's wild what you are saying. I've tested it over and over (with certificates from different hosting companies) and it always seems as if there is any link that is http instead of https, it triggers that nasty encrypt message. I'll keep playing around with it but let me know if you have any other suggestions. Thanks for the help.

Andrew

**JeremyMiller** · 01-04-2009, 04:16 AM

Then we're back to my first thing: Post the URL.

Then we can see for ourselves and that helps a ton in resolving the problem.

**dsellers** · 04:41 PM

I've actually been getting mixed results with this. I have the link going to non-secure pages using the redirects as I mentioned, but even with this now, I'm still getting the unencrypted error.

**chrishirst** · 01-04-2009, 08:59 AM

HTML Code:

<tr>
<td width="25%" bgcolor="#E6EDFD">&nbsp;Website Address</td>
<td width="25%" bgcolor="#E6EDFD">&nbsp;<input type="text" name="url" size="30" value="http://" style="width:150px;" tabindex="7"></td>
<td width="50%" bgcolor="#E6EDFD" colspan="2"></td>
</tr>

input value for the "Website Address" gets my vote.

**dsellers** · 01-04-2009, 04:39 PM

chrishirst - yea, in this affiliate program there are unsecured urls all the way through it. I think I will just take the SSL off and keep it unsecured. Otherwise, users will keep getting the unencrypted message. We'll just take the request for a social security number out so it won't be such a big deal to sign up.

So, it does seem as if any unsecured urls on a secured page will trigger the nasty unencrypted message? Do you suggest the workaround with the redirects (which I mentioned before) as a solution to this?

**chrishirst** · 01-04-2009, 04:48 PM

It's not an unsecured URI though, just the protocol as the default value.
Why not just leave off the "http://" default value and let the server add it on submission? Or insert the value with javascript once the the page has loaded?