SSL Setup

Okay this might be a dumb question but I've searched the forums, I've searched the settings and I've even searched the code but I can't find an answer.

I have authorize.net setup, both in the merchant account on their site, and in the Payment Settings in Dolphin.  I've purchased an SSL Certificate but I can't find anywhere to tell Dolphin/Authorize.net to use it.

I'm trying to go live with this site so any helpful advice would be greatly appreciated.

Allen

Another question here.  In testing Authorize.net (still no SSL) I cannot get it to verify.  I turned on debugging and checked the file and it shows the transaction was approved:

(TESTMODE) This transaction has been approved

But at the bottom of the file it shows a Calculated MD5 Hash value and a Received MD5 Hash value, which are different and neither one of them is what I have setup in the Payment Manager or on Authorize.net's security settings.

Your host needs to set it up on the server.

Hosting company has setup the SSL Certificate but I need to tell Dolphin to use it.

I know I can edit inc/header.inc.php but I don't want the whole site to use the certificate just the checkout page where the enter their credit card info.  You know, like most standard websites that accept online payments do.

Where's the name of the page where they do the checkout?  That's the page you edit

checkout.php

<?php

/***************************************************************************
*                            Dolphin Smart Community Builder
*                              -----------------
*     begin                : Mon Mar 23 2006
*     copyright            : (C) 2006 BoonEx Group
*     website              : http://www.boonex.com/
* This file is part of Dolphin - Smart Community Builder
*
* Dolphin is free software. This work is licensed under a Creative Commons Attribution 3.0 License.
* http://creativecommons.org/licenses/by/3.0/
*
* Dolphin is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
* without even the implied warranty of  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the Creative Commons Attribution 3.0 License for more details.
* You should have received a copy of the Creative Commons Attribution 3.0 License along with Dolphin,
* see license.txt file; if not, write to marketing@boonex.com
***************************************************************************/

require_once( 'inc/header.inc.php' );
require_once( BX_DIRECTORY_PATH_INC . 'design.inc.php' );
require_once( BX_DIRECTORY_PATH_INC . 'profiles.inc.php' );
require_once( BX_DIRECTORY_PATH_INC . 'checkout.inc.php' );

Place Code here

I've edited checkout.php as follows:

<!-- <form id="f<?= $arr['Name'] ?>ProviderForm" action="<?= $_SERVER['PHP_SELF'] ?>" method="post" style="margin: 10px;"> -->
<form id="f<?= $arr['Name'] ?>ProviderForm" action="https://www.avillagetoraise.com/checkout.php" method="post" style="margin: 10px;">
However now when I checkout I get the following message in IE:

"This page contains both secure and nonsecure items. Do you want to display the nonsecure items?"

I did some research and this is due to several items that are loaded with the nonsecure (http:) URL, such as javascript, images, navigation links, etc.  This is because of the way Dolphin builds the pages.

Is there anyway around this.  This message will no doubt deter some from upgrading as they won't be assured their CC info is secure.

.

"This page contains both secure and nonsecure items. Do you want to display the nonsecure items?"

.

Well, methinks that's because you're not using SSL on the entire site. If you did, there'd be no reason for that message to appear. Look at it from a member or surfers point of view. You're browsing around on some pages within a site, and then suddenly, you're entering a different page with a different level of security ... which is still using some of the original data of the site itself (header, buttons, links, whatever - something) and that in turn causes for Internet Explorer to "notice that something has changed" which in turn prompts that message to appear.

.

I don't see how you can stop that from happening but I do believe that most internet users with any degree of browsing experience will learn to click on YES when the time comes. My wife and I practically live online (met online too, way back in 1996) and we get that same message all of the time on quite a few sites that we do business with, huge corporate sites too. It's nothing more than an attention getter, reminding the user that there is unsafe stuff out there and that he or she should think for a moment about whom they're dealing with, before agreeing to a "security adustment" in the browser window that they're using.

.

.

Greetings from Germany

Yes, put it on the entire site.

You are correct in that I'm not using the SSL for the entire site.  My question is why would I.  In every other site I've developed that dealt with online payment processing (mostly shopping carts) SSL is only required for the check-out process.

There are several reasons for which not to use SSL on an entire site, but the main reason is that SSL is a very server intensive process. This will slow down your site tremendously, especially as user traffic increases.

Since this is a community software package the whole point is to increase traffic.  As more and more people become aware of the site and start interacting the more the SSL is going to affect usability.

You asked how to resolve the issue concerning secure vs. unsecure elements on the page, I gave that to you.  Put the entire site under an SSL.  Now if you want speed, then you will have to allow the other option.  This is a SNS and not a shopping script. 

Your only other option, is to completely rewrite the checkout.php page to call identical files with alternative names and place the SSL on all of those files.  This means you will need to start with checkout.php and see every element it calls, then clone & rename all of those files.  Once done, this will give you a fully secured page with NO insecure elements.  Have fun cloning.

Yeah, I had already looked into what it would take to rewrite the checkout script.  HA!

I realize that this is SNS and not an online shopping cart but I would think that if they offer a payment system they would have gone to the trouble to make it secure without forcing you to sacrifice performance by unnecisarily making the entire site secure.

Short of cloning all the files that this requires, I don't see much other option as SSL's will slow a server down, especially one that is under load.  So, if you want the performance then the SSL has to be limited to the page the member checks out on.  If you want a site with full blown SSL then you need to sacrifice the performance. 

This actually should be possible to accomplish without re-writing all of the template files.

You simply add the following code to the top of the scripts/functions.php file for the skin you are using.

for example, if you are using the default uni skin, you would add the code to the /templates/tmpl_uni/scripts/functions.php

if ($_SERVER['HTTPS'] && ($_SERVER['HTTPS'] != 'off'))
{
// Replace Global Site values
foreach($GLOBALS['site'] as $szTempKey => $szTempVal)
{
$GLOBALS['site'][$szTempKey] = str_replace('http://', 'https://', $szTempVal);
}
$GLOBALS['page']['extra_js'] = str_replace('http://', 'https://', $GLOBALS['page']['extra_js']);
$GLOBALS['page']['extra_css'] = str_replace('http://', 'https://', $GLOBALS['page']['extra_css']);
$GLOBALS['sHomeUrl'] = str_replace('http://', 'https://', $GLOBALS['sHomeUrl']);
$GLOBALS['sGlobalPath'] =str_replace('http://', 'https://', $GLOBALS['sGlobalPath']);
$GLOBALS['sGlobalUrl'] =str_replace('http://', 'https://', $GLOBALS['sGlobalUrl']);
$GLOBALS['sDataPath'] = str_replace('http://', 'https://', $GLOBALS['sDataPath']);

// Replace Template Config values
foreach($GLOBALS['oTemplConfig'] as $szTempKey => $szTempVal)
{
if (is_string($szTempVal))
$GLOBALS['oTemplConfig']->$szTempKey = str_replace('http://', 'https://', $szTempVal);
}
// Replace Template Site values
foreach($GLOBALS['oTemplConfig']->aSite as $szTempKey => $szTempVal)
{
if (is_string($szTempVal))
$GLOBALS['oTemplConfig']->aSite[$szTempKey] = str_replace('http://', 'https://', $szTempVal);
}
}

This will replace all of the http:// with https:// in the relevant links in the skin. It is important to place this code right after the copyright comments, and before any function declarations. the great thing about this, is that if you are using a custom skin (like I am) the changes take effect without modifying any of Dolphin's core code, and the code will not be affected by upgrades.

Additionally, you can add the following code to the .htaccess file (if you are running apache with mod_rewrite enabled) to access only turn on SSL for specific pages. (the pedit.php and join.php pages in this example, but other can be added.)

This code will move to SSL for just pedit.php and join.php and will move out when another page is visited. (This is a slightly modified version of a trick off of the Apache Website.)

RewriteRule "^(pedit.php)$" - [env=whwSecure:https]
RewriteRule "^(join.php.*)$" - [env=whwSecure:https]

#Redirect to normal site.
RewriteCond %{HTTPS} on
RewriteCond %{env:whwSecure} !https
RewriteCond %{REQUEST_URI} !^.*simg.php
RewriteCond %{REQUEST_URI} ^.+.php [OR]
RewriteCond %{REQUEST_URI} ^.+/$
RewriteRule "^(.*)$" "http://%{HTTP_HOST}/community/$1" [R=301,L]

#Redirect to Secure site
RewriteCond %{HTTPS} off
RewriteCond %{env:whwSecure} https
RewriteRule "^(.*)$" "https://%{HTTP_HOST}/community/$1" [R=301,L]

-Jason