Returning from https site to http php application

Posted on 2012-08-12
Last Modified: 2012-08-13
I have a php application that posts a shopping cart order to network merchants for credit card processing.  I have selected to have the response posted to my php application that is running on a http site.  Only a response code is coming back, but when I test it I get the warning message about moving from a secure to unsecure site.  The credit card transaction has already happend, but do I still need a certificate or is there another way to handle this response from network merchants?
Question by:farmingtonis
    LVL 31

    Accepted Solution

    The warning is happening for a good reason.

    Despite the fact that your users are on a secure HTTPS site (which would lead them to believe that the transaction is secure), you are having a response containing some of their order information posted to your HTTP site in an insecure manner. Regardless of how harmless the data being transmitted is, the situation is misleading to the customer, that's why they are getting the warning message.

    There are two options:

    1) Do not do a form POST. Just link to or redirect to your landing page. I'm pretty sure in that case there is no warning message, because no data is being transmitted. Of course this means no data gets posted to your PHP application, users just arrive there after completing the order. Perhaps if you only need a response code, you can put it into a GET parameter in the URL, rather than POSTing it?

    2) If you must transmit data about the customer's order to your own php application via a form post, then secure it with an SSL certificate.
    LVL 107

    Expert Comment

    by:Ray Paseur
    What Frosty555 said!  No points for this -- I just want to second his excellent recommendation. ~Ray
    LVL 31

    Expert Comment

    Wow, a hat-tip from Ray - I'm honoured!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    The viewer will learn how to dynamically set the form action using jQuery.
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now