Solved

History, frames and https

Posted on 2006-12-01
16
250 Views
Last Modified: 2008-02-01
My site is  built with 2 frames:
frame a: a menu
frame b: pages that change according to selections in the menu or according to actions in frame b.

Up to now, this sequence worked well:
1. Typing domain.com as the adress displays both the menu and the "home" page
2. Clicking on Login in the menu gets the Login page in frame b
3. Entering username and password brings a Search page in frame b, including a button to buy a subscription
4. Clicking on the subscription button gets the fee page in frame b, with a buy button
5. Clicking on the buy button gets the user coordinates page in frame bwith a pay button
6. Clicking on the Pay button gets a confirmation page in frame bwith a Goto to secure payment server button
7. Clicking on the Payment server button gets the payment page (https:...) in frame b with credit card number, ... and a Process button
8. Clicking on the Process button with a wrong expiration date gets the Refusal page in frame b. That page is POSTED by the payment server
9. Clicking on the Back to origin button on the Refusal page gets the Search page in frame b through a history.go(-5) command.

It worked well except for one thing: people didn't see the security lock nor the https address when they got the Payment page. Some customers backed off because they feared the payment site was not secure.

To correct that, the payment page is now displayed full screen, using TARGET="_top" to get it over the 2 frames.

THE PROBLEM: in step 9, clicking on the "Back to origin" button gets the user back to:
-frame a: the menu (OK)
-frame b: the "home page" (WRONG)

If the user uses the browser's "Back" button, the page doesn't change. By selecting the "Payment page" in the history, the user gets it, and fromt there on he can click on the browser's Back button 4 times to get the Search page in frame b.

Why is this and do you know a way to solve it? I have to use something like history.go(-5) because there are many pages from which the user can get into a buying sequence, and I want him to go back to where he was, whatever that may be.
0
Comment
Question by:Gite
  • 7
  • 5
  • 4
16 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 18057325
rule #1: don't use frames if security counts
rule #2: there is currently no browser which indicates undoubtly which part of the screen (frame) is secure (https)
conclusion: get rid of frames (if you care about obvious security)
0
 

Author Comment

by:Gite
ID: 18057383
impossible in the short temr to do that.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 18057485
frmaes are unreliable (if security counts). Dot. Period.
You better gowith your target="_top" solution.
0
 
LVL 8

Expert Comment

by:mhunts
ID: 18061937
You can make the entire site secure. Then the user would always see the https and the lock.

or you could use a popup.
0
 

Author Comment

by:Gite
ID: 18063121
Right, but I try not to, to avoid that cost.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 18063522
you avoid the costs, but the user should pay and be unsecure? I get the feeling that there is something wrong in your idea...
Please let us know if you're interested in a technical secure sugesstion, or just in something insecure and low costs.
0
 

Author Comment

by:Gite
ID: 18063823
The user is SAFE NOW. The paysite is a HTTPS server
The only thing I do not like is that because of frames he does not SEE the lock.
That is why I use TARGET="_top" to go to the paysite. That way, the user can see that lock.
But the history.go(-5) does not work on the "Goback to origin" button, AFTER THE PAYMENT has been accepted.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 18064194
if I don't see the lock, the site is unsave. Dot.
And even if you see the lock, it could be a spoofed page (using iframes or whatever). So getting rid of frames/iframe is first stelp to make it secure.

> .. is that because of frames  ..
that's what I say: see above

Well, I agree that using frames makes some things simple for the programmer (and unreliablefor the user), but if security counts, you have to do it the safe (hard) way: no frames.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Gite
ID: 18064712
I will eventually, but that is impossible in the short term. So I need a solution now.
0
 
LVL 8

Expert Comment

by:mhunts
ID: 18066664
If this is a temporary solution, then you should consider opening a new window for the secure pages. That way the user will see the lock. Not the best, but a good compromise for a temporary solution.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 18067649
agree with mhunts' last suggestion
0
 

Author Comment

by:Gite
ID: 18068775
When I call the HTTPS pay page with TARGET="_top", the user sees the lock. The problem is that when the paysite gives me the control back(say to my Refusal page), I want to give the user the opportunity to go back to where he was before starting the pay process (5 pages ago).

THat is why I offer him a "Back to origin"  button. THat button has a history.go(-5) command.

That commad did work before well I introduced my "TARGET="_top" to get to the pay page. It does not since.

Why do you think opening a new page instead of using TARGET="_top" will be different?
0
 
LVL 8

Accepted Solution

by:
mhunts earned 500 total points
ID: 18072151
In this case, spawn the new window 5 pages prior to when I first recommended. The user will be in the new window for the entire pay transaction, and they can close the new window to get them back to the original window. Difficult to explain, so an example. . .

Spawn new window

page 1
page 2
page 3
page 4
page 5
When you want to go 5 pages back, close the new window, and you'll be 5 pages back.

Not the best solution, but a simple temporary solution you can use that I think meets your requirements.
0
 

Author Comment

by:Gite
ID: 18075940
Thanks. I'll try it with pleasure.
0
 
LVL 8

Expert Comment

by:mhunts
ID: 18079975
With the two separate windows, it provides a clearer distinction to the user that when they're in the new window, they're in a secure environment, and when they go back, they're in the non-secure environment.
0
 

Author Comment

by:Gite
ID: 18149900
FInally, the new window solution has been successfully implemented. THanks
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
jquery, dropdown 4 34
Hovering effect 9 28
JavaScript function required for form onfocus and onblur 2 20
Asp.net mvc 5 5 15
The task A number given should be formatted for easy reading by separating digits into triads. Format must be made inline via JavaScript, i.e., frameworks / functions are not welcome. So let’s take a number like this “12345678.91¿ and format i…
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now