Closed (fixed)
Project:
e-Commerce
Version:
4.7.x-3.x-dev
Component:
authorize_net
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
12 Jan 2007 at 19:55 UTC
Updated:
6 Oct 2009 at 17:06 UTC
When a transaction completes, the authorize.net module redirects users to the "authorize_net_success_url" without SSL. There's no reason this poses a security risk, so far as I can tell, but it sure does generate an error message in IE6 SP2. Attached is a screenshot. Is there any reason this shouldn't be an HTTPS link? Can this even be done with drupal_goto()?
authorize_net.module, line 454:
// We want to go to a http, not https.
//$goto = str_replace('https://', 'http://', $base_url);
drupal_goto(variable_get('authorize_net_success_url', 'node'));
break;
| Comment | File | Size | Author |
|---|---|---|---|
| Security-Alert.jpg | 55.67 KB | matt@antinomia |
Comments
Comment #1
matt@antinomia commentedNot a formal patch, but this does the trick...
Comment #2
bjaspan commentedThe solution to this problem is to remove all HTTPS-redirection code from authorize_net.module and allow admins to configure SSL pages with the 'securepages' module. I've submitted at least two patches to the module and one of them removes the redirects; you might want to give it a try.
Comment #3
gordon commentedThis is now handled by secure pages
Comment #4
(not verified) commentedComment #5
jdsaward commented(Refering to #1)
Surely it should be:
$goto = str_replace('https://', 'http://', $base_url) . '/' . variable_get('authorize_net_success_url', 'node');Comment #6
kccmcck commentedI was receiving the exact same Security Alert on a 4.7 site but only in IE6. I installed the Secure Pages module (4.7 dev version) and selected "Switch back to http pages when there are no matches" and showed only on the listed pages:
cart
cart/checkout
cart/review
store
store/*
store/payment/*
authorize_net
authorize_net/*
The real trick here is including the authorize_net path since the redirect to an http:// was what was causing the Security Alert.
I had no need to apply any patches to the authorize_net.module.