I've spent a week going back and forth with MIVA support on this issue, and finally I was advised to try the user forums because the support technician was unable to find a solution.
Summarizing the important parts:
During some testing, I noticed that I get security warnings when adding items to the cart when logged in:
I was eventually able to narrow the issue down to the form action for the "Add to Cart" button going to a non-secure url from a secure page. I use MIVA's seo shortlinks ( for example ../category/&mvta:cattree_category:code;.html or ../product/&mvta:product:code;.html). With this setup, if you're on a secure url, when you click one of these links, you will stay on a secure url, if you're not on a secure url, it will stay non-secure. The issue is that the form action always uses a non-secure url, no matter what. (
using this code: <form method="post" name="FORM" action="&mvt:global:sessionurl;">).
The best advice that they could give me was to stop using seo shortlinks all together (since doing that passes the session id when going from secure to non-secure) and go back to this format:
<a href="&mvt:global:sessionurl;Screen=PLST&Store_Cod e=&mvt:global:Store_Code;"><img src="graphics/00000001/productlist.gif" alt="Product List" border=0></a>
Is there really no way to make the form action go to a secure url from a secure page, and a non secure url from a non secure page? From what I can tell this would fix everything (would that open some hole security?).
Summarizing the important parts:
During some testing, I noticed that I get security warnings when adding items to the cart when logged in:
"Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?"
Are you sure you want to continue sending this information?"
using this code: <form method="post" name="FORM" action="&mvt:global:sessionurl;">).
The best advice that they could give me was to stop using seo shortlinks all together (since doing that passes the session id when going from secure to non-secure) and go back to this format:
<a href="&mvt:global:sessionurl;Screen=PLST&Store_Cod e=&mvt:global:Store_Code;"><img src="graphics/00000001/productlist.gif" alt="Product List" border=0></a>
Is there really no way to make the form action go to a secure url from a secure page, and a non secure url from a non secure page? From what I can tell this would fix everything (would that open some hole security?).
Comment