sent
in the following documentation on how to provide a workaround for the
secure server dilemma with WebStore.
Selena Sol's Web Store Script Secure Server Workaround White Paper
George A. Roberts IV
Vice President of Interactive Media
Now Computing
February 2, 1999
Introduction
One of the biggest problems with the Web Store script is that when
attempting to use it with a secure server according to the documentation,
it only goes into secure mode when the user hits "submit" on the form
that includes their credit card information. While this is technically
secure, most users expect to see the secure icon on their web browser
when the form is displayed.
Due to technical limitations of the script, this is not possible in the
original implementation. The reason for this is that every action is
processed through a form on the page, with all actions being processed
through the same form. Due to the way that forms work in HTML, there
is only one possible action for a form. This means that all actions
(i.e. view cart, add item, checkout) must lead to either a non-secure
location or a secure location. You cannot have all the options go to
a non-secure location except the checkout button.
The Workaround
However, there is a way around this. The general idea is to modify
the script where it processes the "checkout" request and have it
send an HTTP redirect to the location of your secure copy of the
script.
The modifications are fairly routine, however there is one possible
side effect. To make this modification, you must move the line in
the script that outputs the "Content-type" string to the browser to
another location to facilitate this change. The possible side effect
is that should an error occur loading one of the included libraries
at the beginning of the script, the script will not be able to output
its error message to the browser. However, the likelihood of this
occuring, in my opinion, are fairly small, and this is a small price
to pay for this increased functionality.
One of the goals in this workaround was to save you from making large
amounts of changes to your site and to the script. This workaround
achieves that goal.
The first thing that needs to be done is this:
Create the following section in your script:
if ($form_data{'order_form_button'} ne "")
{
print "Location: $sc_order_script_url?order_form_display=on&page=$page&cart_id=$cart_id\n\n";
exit;
}
print "Content-type: text/html\n\n";
If you are using graphical buttons, remember to place the ".x" after
"order_form_button".
This section should be created immediately above the large block of
if-then statements that process the form commands. You should find
the original location of the "Content-type" print command in your
script and delete that line.
Then, find the original section that processes the "order_form_button"
form field, and change "order_form_button" to "order_form_display".
DO NOT PUT A ".x" AFTER IT, EVEN IF YOU *ARE* USING IMAGES AS YOUR
BUTTONS.
Make sure that your $sc_order_script_url variable in your setup file
points to your secure copy of the script.
The basic overview of the process that the user will go through now
is this:
The user browses your store like normal, adding items just like
normal, all in unsecure mode. Once they click on "Checkout" (or
equivalent on your store), the form will be submitted to your
non-secure copy of the script. That copy will receive the
"order_form_button" command and will output an HTTP Location
response that will tell the browser to redirect to the secure copy
of your script, passing in the cart_id on the commandline. The
browser will then load the secure copy of your script and allow
the user to checkout in fully secure mode.
Additional Information
Any questions, comments, thoughts, or suggestions can be addressed
via internet e-mail to .
Now Computing is available for CGI programming and customization for
reasonable hourly rates. If you would like work done on your copy
of Web Store, please feel free to contact us via e-mail at .
