SSL - https/http switchover - both secure nosecure items - encrypted

[HWG]

The question is simple:

With the SSL cert applied to my site, how can I hit CheckOut button without the prompt of the 'the page contains both secure and nonsecure items' from IE in the latest VM version (1.0.14)?

I've searched all of the forums and I've mixed clues about different people having different ways to deal with that. I had this issue back in version 1.0.10, I'm disappointed this issue still is not resolved now in 1.0.14.

I would love to have a central place that somebody from VM to address this issue correctly.

Without the HTTPS protocol in place and without it working correctly, I don't have it's an e-commerce solution.

I've tried: Joomla 1.0.13 + VM 1.0.14 (downloaded as Joomla! 1.0.13 eCommerce Edition) and Joomla 1.0.14 + VM 1.0.14, without any luck.

• On the same hosting package, I've another e-commerce shopping cart software, it works fine. I would like to say it's nothing about share or dedicated SSL issue.
  
  It failed with the fresh installation, I would like to say it's nothing about the hosting company, nothing about the external objects (Google Analytics, Joomsef, JavaScript and etc.), nothing about the third party template, it's from the VM code.

Viewed from the source code, I found all of the VM product categories on the left bar are still HTTP, without switching over to HTTPS when the checkout button is hit.

I hope I consolidate all the questions people would like to ask:

• 1. Is seeing the warning message of mixed secure and nonsecure item normal? - I personally don't think so, we don't see that in Amazon, in Bank of America.
  
  2. For VM 1.0.14, do we still need to hack the code to make it work? - So it's a bug, not a configuration issue?
  
  3. Is this the VM issue? not Joomla issue? (as look at this link: http://www.joomla.org/content/view/3677/1/ - Joomla said it has already improved the http/https switchover feature)
  
  4. Has somebody out there had this issue resolved?
  
  5. Should we hope the 1.1 VM be doing better job on this?

Thanks!

[Joseph Kwan]

The secure and non-secure items warning is not a problem of VM and so there's little, if any, VM can do.  (By the way putting a http link in a secure page will not cause the warning. The warning only occurs when the object is downloaded with the page.)

Judging from the problems I've fixed so far, most of the time the non-secure item is due to modules and templates outside of VM. If you use a third party modules/mambots/templates that has a non-secure item, the warning will come up. As obvious, VM cannot handle problems caused by these items.

Another source of problems is caused by custom VM modules and templates. By hard coding http in your template, eg, the secure and non-secure warning will come up when using https. Again, this is nothing VM can do.

To sum up, the secure and non-secure warning is caused by the modular and flexible structure of Joomla and Virtuemart. And that's the beauty we all treasure. The development teams cannot and should not guarantee every customized item is without problem. The end users/developers themselves should take up that responsibility.

Virtuemart has its weaknesses and rooms for improvements. But please don't blame VM for every problem you encounter.

[winfreepcs]

It would be most helpful to know which 3rd party module, etc would run interference with VM.

I've used VM 1.0.5 for a long time without any SSL issues. I've upgraded to VM 1.1.0 (and Joomla 1.0.15) and I'm struggling with SSL issues in ie6 and ie7, but not FF.

[JJRO]

Same here - 1.1 has some oddities... the update cart and remove item images are not coming up under https.

[Joseph Kwan]

winfreepcs,

There's no definite list. In fact, I must emphasize that those problem modules etc are not conflicting with VM. They are just referencing files that are not in https and caused the browser to warn user. The warning will pop up even if VM is uninstalled and you try to access the site through https.

Most probably, your problem lies in your joomla template which references a file that mean to fix IE bugs. The file is not referenced in Firefox and so error does not pop up.
This kind of problem can be difficult to identify as some times they are embedded in long trunk of crytic javascript code.

[winfreepcs]

I just switched to solarflare and madeyourweb templates and I still have the same SSL popup.

Furthermore, I've not had this problem in VM 1.05 as I'm having in 1.1.  I noticed that there's an extra two lines in virtuemart.cfg in 1.1 that was not in 1.05 and I'm trying to find out why the difference.

[Joseph Kwan]

There can be several reasons why the secure warning popup. The VM templates you are using can also have problems. But I can't tell for sure which one without taking detailed look into the site.
What I mean is most of the time, it's not a problem of the VM core. This does not apply to any VM customization done including the templates.

[winfreepcs]

I'ved reported it as a bug because I was comparing VM 1.05 and VM1.1 and the extra two lines are in 1.1.

[brick]

One way you can use to figure out which module is not secure is to right click on the page and then click "View Source" in IE.  Then go to the notepad doc it opened and do a search for "http:".  Follow the line it returns until you see "mod_".  You can then go to the Joomla module manager and find the mod with that name. 

Also, if you have banners through a LinkShare or Kolimbo kind of situation, that will also do this with the links they provide if you're using the banner module.  You will have to disable the banners on the secure pages.

[winfreepcs]

I've checked and there's no module causing the error. It is the VM that's causing the errors:

components/com_virtuemart/themes/default/images/update_quantity_cart.png
components/com_virtuemart/themes/default/images/remove_from_cart.png

[Joseph Kwan]

Thanks for reporting this. I'm really interested in following this through.
Do you mean that these 2 images caused the security popup in IE but not in FF?

[winfreepcs]

That is correct.

[Joseph Kwan]

Do you managed to get it fixed? Can you share the solution? It would be great if you can give us the url.

[JJRO]

I didn't get this fixed, but interestingly in FF, it doesn't call to https: but still no error...
<input type="image" name="update" title="Update Quantity In Cart" src="http://www.sitename.com//components/com_virtuemart/themes/default/images/update_quantity_cart.png" border="0"  alt="Update" align="absmiddle" />

[Joseph Kwan]

That's definite a bug in VM1.1 (and also bug in FF). Can't imagine why this can escape our excellent testing team. Try replacing the vm config file with the attachment and see if this works.

This file should replace the file administrator/components/com_virtuemart/virtuemart.cfg.php. Note the filename is different from the attachment. You have to rename your original file. Upload this file and rename it to virtuemart.cfg.php.

[attachment cleanup by admin]