Download & Extend
e-Commerce » Issues

Should authorize_net.module redirect to SSL page upon order completion?

Posted by matt@antinomia on January 12, 2007 at 7:55pm
Project:e-Commerce
Version:4.7.x-3.x-dev
Component:authorize_net
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

When a transaction completes, the authorize.net module redirects users to the "authorize_net_success_url" without SSL. There's no reason this poses a security risk, so far as I can tell, but it sure does generate an error message in IE6 SP2. Attached is a screenshot. Is there any reason this shouldn't be an HTTPS link? Can this even be done with drupal_goto()?

authorize_net.module, line 454:

      // We want to go to a http, not https.
      //$goto = str_replace('https://', 'http://', $base_url);
      drupal_goto(variable_get('authorize_net_success_url', 'node'));
      break;
AttachmentSizeStatusTest resultOperations
Security-Alert.jpg55.67 KBIgnored: Check issue status.NoneNone
Login or register to post comments

Comments

#1

Posted by matt@antinomia on January 12, 2007 at 8:56pm

      // We want to go to a http, not https.
      //$goto = str_replace('https://', 'http://', $base_url);
      //drupal_goto(variable_get('authorize_net_success_url', 'node'));
      // Or do we?
      $goto = str_replace('http://', 'https://', $base_url) . '/' . variable_get('authorize_net_success_url', 'node');
      drupal_goto($goto);
      break;

Not a formal patch, but this does the trick...

#2

Posted by bjaspan on January 17, 2007 at 2:05pm

The solution to this problem is to remove all HTTPS-redirection code from authorize_net.module and allow admins to configure SSL pages with the 'securepages' module. I've submitted at least two patches to the module and one of them removes the redirects; you might want to give it a try.

#3

Posted by gordon on October 18, 2007 at 6:49am
Status:active» fixed

This is now handled by secure pages

#4

Posted by Anonymous on November 1, 2007 at 7:31am
Status:fixed» closed (fixed)

#5

Posted by JDSaward on March 25, 2008 at 2:45am

(Refering to #1)

Surely it should be:

$goto = str_replace('https://', 'http://', $base_url) . '/' . variable_get('authorize_net_success_url', 'node');

#6

Posted by Kathryn531 on October 6, 2009 at 5:06pm

I was receiving the exact same Security Alert on a 4.7 site but only in IE6. I installed the Secure Pages module (4.7 dev version) and selected "Switch back to http pages when there are no matches" and showed only on the listed pages:

cart
cart/checkout
cart/review
store
store/*
store/payment/*
authorize_net
authorize_net/*

The real trick here is including the authorize_net path since the redirect to an http:// was what was causing the Security Alert.

I had no need to apply any patches to the authorize_net.module.