Membership creating HTTPS calls when inapplicable

Just like the title says, I am getting HTTPS:// calls at inappropriate times, and all the browsers spit out warnings for insecure content. The easiest way to reproduce is to go the /register/ page, create an account and view the fields for credit card entry (all of which parse ok). If I don't do the checkout, and go straight to any other page, the call is still HTTPS://.

No matter what link is clicked after the warnings, a 'S' call is always made, essentially breaking the experience of the site.

Any ideas?

  • 3SixtyEvolve
    • New Recruit

    Hi Opus13

    Thank you for being a member and for posting to the Community!

    I believe you've had a related problem here?

    Is it possible to share a link with us to see the behavior? Also, I had a look to see if anyone else is facing this problem and I found these posts that share the same subject:

    SSL Issues
    Problems with HTTPS plug in/SSL and MarketPress

    These might be able to give you some guidance on what to do. If you still feel you need support on this matter, please let me know and we can investigate further.

    I wish you all the best in setting up your site. Have a blessed day!

    Gina

  • opus13
    • Site Builder, Child of Zeus

    Unfortunately, this is a separate SSL issue. All elements checkout as S compliant, it's just that when browsing back through the site (after visiting an 'S' page, that the transport is defined, and doesn't release to non-secure standards.

    http://www.naturalevo.com is the site. go to http://www.naturalevo.com/register/ and create an account, and then before checking out go anywhere else.

    Nothing but browser warnings :disappointed:

  • 3SixtyEvolve
    • New Recruit

    Hi Opus13

    I tried to subscribe to one of the subscription plans, but then went out from there, as you mentioned, and tried to access other pages again. I got the message in my browser that there are non-secure content and I could see the https in the URL of all the pages I visited after that.

    Awaiting feedback from the Developer.

    Have a good weekend.

    Gina

  • Barry
    • DEV MAN’s Mascot

    You don't mention what gateway you are using, as the gateway is responsible for those parts of the pages- it is likely to be a gateway issue.

    Can you let me know which ones (or just one if you only have a single one selected) and we'll have a dig through and see if we can get an update out.

  • aecnu
    • WP Unicorn

    Greetings opus13,

    Sorry for the delay here in a return response from the lead developer.

    Though I am not aware of the reason for the delay I am going to go ahead and let him know that you have indeed indicated what gateway is giving you issues.

    I have noticed in the Membership plugins change log that in the last version 3.0.2 that there were some fixes to the Authorize.net gateway.

    Could you please confirm that you are indeed running version 3.0.2 of the membership plugin?

    Cheers, Joe

  • aecnu
    • WP Unicorn

    Greetings opus13,

    Just touching base with you to let you know that I am going to try to get the lead developer of the authorize.net gateway in here @ColeS to see what he thinks of this reported issue and any advice/advise us what can possibly be done to overcome this issue.

    Thank you for your patience.

    Cheers, Joe

  • Cole
    • The Incredible Code Injector

    Ok so whats happening is Authorize.net requires you use an SSL connection to make a call to their API. If we don't force the https connection during the user registration process just before the payment page the php session is lost and the user never gets logged in resulting in them potentially being returned to a content protected page after they just paid you money, which not a lot of users like.

    Just to clarify the browser warnings are from loading unsecured http:// content on a https:// page correct? Its not a self signed certificate or anything like that?

  • opus13
    • Site Builder, Child of Zeus

    The issue isn't before a transaction is made, it's after the process has been exited. When opting out of the checkout process and returning to the home page, the request is still https (when it no longer needs to be), and browser warnings pop up everywhere.

    The landing page isn't 's', and doesn't need to be, yet the plugin is still forcing the issue after the checkout process has been aborted.

    I understand the inherent value and requirement of an SSL call, it is just a very, very large turn-off to the potential client base when they are perusing the site.

  • Cole
    • The Incredible Code Injector

    The real issue is logging the user in automatically after they create their account. So they aren't pointed to a protected content page after they pay.

    Now, I wrote a filter than could force the redirect back to http:// instead of 's' but the user would be logged out and would have to sign in again. What are your thoughts on that.

  • opus13
    • Site Builder, Child of Zeus

    Hmm. That's a pretty tough call --either the 'invisible mans' experience is tainted, or someone that has already drank the cool aid :wink:

    Is there a way to easy turn that filter on/off in order to get a better idea as to the UX aspect of using that tool?

  • Cole
    • The Incredible Code Injector

    Ok add this to a filename of your choosing that ends in .php

    Insert it into your wp-content/plugins/ folder directly and then activate it.

    Let me know if there are any problems.

    <?php
    /*
    Plugin Name: Authorize.net AIM Membership SSL Switcher
    Plugin URI: https://premium.wpmudev.org
    Description: Make sure that membership loads up non-secure after using authorize.net.  This script work anytime that authorize.net is set as an active gateway.
    Version: 1.0
    Author: Cole (incsub)
    Author URI: https://premium.wpmudev.org
    License: GPLv3
    
        This program is free software: you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation, either version 3 of the License, or
        (at your option) any later version.
    
        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
        GNU General Public License for more details.
    
        You should have received a copy of the GNU General Public License
        along with this program.  If not, see <http://www.gnu.org/licenses/>.
    
    */
    add_action('membership_payment_subscr_signup','adjust_aim_ssl',99);
    
    function adjust_aim_ssl($user_id, $sub_id) {
    	$gateways = get_option('membership_activated_gateways');
    
    	if(!is_array($gateways) && !in_array('authorizenetaim',$gateways))
    		return;
    
    	if(is_ssl()) {
    		$url = str_replace('https://','http://',M_get_registrationcompleted_permalink());
    		wp_redirect($url);
    		exit;
    	}
    
    }
    ?>
  • opus13
    • Site Builder, Child of Zeus

    I placed it in "/wp-content/plugins/ssl/sslswitch.php" and activated it via the plugins panels and went through the regular process of browsing to checkout and then returning home. Still a https call.

    The plugin is still activated now, if you would like to verify.

    <img src="http://www.naturalevo.com/img/errors/sslswitch.jpg">

    ----------------------
    edit: no more image embedding?

  • Cole
    • The Incredible Code Injector

    Thanks for touching base with opus13 Mason.

    And sorry for the delay. When you get to that page opus13, since you are in Chrome it seems could you right click anywhere on the "unsecured" page and "Inspect Element". If you click the console tab you should be able to see a list of the content that was loaded insecurely. Could you pass that along to me here?

  • Cole
    • The Incredible Code Injector

    We had some weird issues with thread subscriptions last week.

    Is there anything in the membership directory that is being loaded insecurely? Sounds like maybe other plugins are causing the errors too.

  • Cole
    • The Incredible Code Injector

    Well I disagree on whether it should be an "s" or not, as I stated earlier this can cause particular installations to force the user to login again after paying. Looking at your site, nothing from membership's plugin is loaded improperly only other plugins.

    I think maybe the gateway check I was doing wasn't working on the last version. Change the url in the code there to whatever you like. Activate it and that will make it do what you want.

    <?php
    /*
    Plugin Name: Authorize.net AIM Membership SSL Switcher
    Plugin URI: https://premium.wpmudev.org
    Description: Make sure that membership loads up non-secure after using authorize.net.  This script work anytime that authorize.net is set as an active gateway.
    Version: 1.0
    Author: Cole (incsub)
    Author URI: https://premium.wpmudev.org
    License: GPLv3
    
        This program is free software: you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation, either version 3 of the License, or
        (at your option) any later version.
    
        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
        GNU General Public License for more details.
    
        You should have received a copy of the GNU General Public License
        along with this program.  If not, see <http://www.gnu.org/licenses/>.
    
    */
    add_action('membership_payment_subscr_signup','adjust_aim_ssl',999);
    
    function adjust_aim_ssl($user_id, $sub_id) {
    	$url = 'http://www.naturalevo.com';
    	wp_redirect($url);
    	exit;
    }
    ?>
  • PC
    • WPMU DEV Initiate

    Greetings and thanks for being a great community member.

    We haven't heard from you on this one for long and I am doing a regular followup to see if there is still something we can assist you on this thread.

    Just to manage the support issues more efficiently, I am marking this thread as resolved for now however this is not being done to avoid your questions in any ways.

    Please feel free to mark this is "Not resolved" in case you have further questions and we would be back on it.

    Thanks a lot for being with WPMU DEV.

    Cheers
    PC
    Sales &Support

    Did you know we offer FREE lifetime memberships? Click here to learn more.

  • opus13
    • Site Builder, Child of Zeus

    Whoops, I've been busy as hell, and forgot to respond to this thread.

    I placed Cole's ssl switcher into /wp-content/plugins/ssl/ssl-switch.php, and activated the plugin.

    No love. When a user does not complete the sign up form and clicks any other link on the site, all calls are https.

  • Cole
    • The Incredible Code Injector

    Still looks like the content is being loaded in-securely from other plugins and scripts.

    I'm working out a new authorize.net gateway I will see If I can incorporate the drop-in plugin code into the core for the next release. Everything is working as intended at the moment though.

  • Cole
    • The Incredible Code Injector

    Hey opus13,

    I'm just tried going through the registration process on your site. Looks like It logs me in correctly on both https and http.

    And if your using the new 3.4.3 beta it should be redirecting you properly. How are you testing this? Are you using a test transaction? Everything should be working properly so I'll need to learn a bit more before I can figure out whats happening.

  • Cole
    • The Incredible Code Injector

    Ok now I see, I assumed you were talking about after returning to https after a purchase via membership.

    So this is actually a WordPress or possibly a theme issue, not anything with membership. Wordpress urls will default to an https scheme if it detects that your on an ssl page.

    I wrote some code you can drop in somewhere to test if thats something you feel comfortable doing.

    add_filter('site_url','fix_url_ssl',99,4);
    add_filter('home_url','fix_url_ssl',99,4);
    function fix_url_ssl($url, $path, $scheme, $blog_id) {
    	if(is_ssl()) {
    		$url = str_replace('https://','http://',$url);
    	}
    	return $url;
    }

    Let me know if that works or not. You can add it to the bottom of your theme's functions,php file if you don't have a specific place you would like it to be placed.

    Oh and thanks for the screencast, that clarified the issue quite nicely.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.