I have ssl in my e-commerce web site. At first, browser always asking "do you want to show this web site's content" in all page and when I redirect to mycart page browser shows the same alert like that "This webpage contains content that will not be delivered using a secure HTTPS connection, which could comprise the safety of the entire webpage....Yes...No....". After I clicked to yes, all my sessions get null. Do you have any suggestions for me?
KR,
Çağın
The problem is your secure page is accessing information (scripts, images, etc.) from pages that are not secure. For example if you reference a javascript file (say jQuery) from a nonsecure site (say Google) then certain browsers (like IE) will display this message. You need to search through your references and find these. In other words searching src="http or something along those lines will pull up the nonsecure references.
Depending on what you are referencing you can move those items to your site so that they are now "secure". Also, in some cases changing your reference from src="http to src="https can resolve the problem.
Once you resolve this alert you can check again to see if you are having sessions issues as you could have some other issues to address.
Related
Our website is a vertical search engine and we refer a lot of traffic offsite to partners sites.
We recently switched our website over to serve all traffic via HTTPS. We realised this might confuse some of our partners if they were looking at referrer stats and saw a drop in traffic attributed to us. Therefore at the same time, we added the content-security-policy:referrer origin header and we can see that the referrer is correctly passed along by the browser.
Generally this is working fine but we have had complaints from users of Adobe SiteCatalyst (previously Omniture) who are no longer able to attribute traffic as being referred from us. We don't have access to SiteCatalyst to test this out. How does SiteCatalyst track referral traffic and is there a way to view all traffic split by different sources/referrers?
I don't know if this accounts for everything, since I don't have full context on both your end or your users' end, but here is some info / thoughts that might help.
By default, Adobe Analytics tracks referrer from document.referrer. This can be overridden by setting s.referrer.
In general, depending on how your site directs visitors to the other site vs. Browser security/privacy settings, document.referrer may or may not have a value. For example, Internet Explorer's default security/privacy settings is to suppress document.referrer on dynamically generated popup windows (e.g. window.open() calls).
So, and again, this is just speculation because I don't know the full context, you may need to work something out w/ your users, e.g. explicitly passing the referring url as a query param to the target page, and have your users pop s.referrer with it if it exists. Something along the lines of:
if ( !document.referrer ) {
s.referrer=s.Util.getQueryParam( 'refURL' );
}
Note: s.Util.getQueryParam is a utility function for Adobe Analytics AppMeasurement library that will return the value of the specified query param, or an empty string if it doesn't exist. If your users are still using legacy H code, they should use the s.getQueryParam plugin instead. Or use whatever homebrewed method of getting a query param from the URL, since javascript doesn't have a built-in function for it.
I'm building an emailshot tracking function in my ASP.NET site which will serve up a linked image when the email is opened, so allowing me to count the email opens.
It's all above-board, opted-in etc, etc, and I've tried two methods:
calling a .aspx page that serves (direct to the Response stream) a Base64-encoded image stored in a database
calling a .ashx HTTP handler that serves an image from a physical folder
Both of these techniques work absolutely fine - the image is served, and I can process the hit in the page code - if I use my POP email or my Gmail accounts.
However, Hotmail blocks them both. It doesn't even give the option of displaying images - there's no trace of the original link if I View Source on the browser email display.
Links to images only seem to display correctly in the Hotmail browser window if I:
Use an actual domain name in the link (rather than an IP address or localhost for testing) AND
Link to physical files (rather than pages that serve them) using <img src="http://domain/imagefilename.ext"/>.
Is there an alternate approach that will at least give the option of viewing the image? I'm not trying to conceal the tracking in any way - there will usually be other linked images in the emails anyway.
Nor does the thing being served have to be an image - is there anything else that can be served (and hence counted) that isn't treated as suspicious by over-zealous mail servers such as Hotmail?
Cheers.
You can add a querystring value at the end of the url. And then configure IIS to handle that extension.
WELL what are you asking is a nightmare for email server.this same technique is used by spammers to get valid emailid out of junk emailids. For now i can assure you tracking opening of email is impossible using any white hat or gray hat techniques on any reputiable servers.
plese see these links for more details:-
http://emailuniverse.com/ezine-tips/?id=502
https://webapps.stackexchange.com/questions/22662/way-to-ensure-that-my-sent-email-was-read
However dont take myword 'impossible' for granted, there are some protected techineques available but i am not sure about it
http://mailchimp.com/
good luck
We've recently run into an issue with our ASP.NET application where if a user goes to ourcompany.com instead of www.ourcompany.com, they will sometimes end up on a page that does not load data from the database. The issue seems to be related to our SSL certificate, but I've been tasked to investigate a way on the code side to fix this.
Here's the specific use case:
There is a user registration page that new users get sent to after they "quick register" (enter name, email, phone). With "www" in the URL (e.g. "www.ourcompany.com") it works fine, they can proceed as normal. However, if they browsed to just "ourcompany.com" or had that bookmarked, when they go to that page some data is not loaded (specifically a list of states from the DB) and, worse, if they try to submit the page they are kicked out entirely and sent back to the home page.
I will go in more detail if necessary but my question is simply if there is an application setting I can say to keep the session for the app regardless of if the URL has the "www" or not? Buying a second SSL cert isn't an option at this point unless there is no recourse, and I have to look at a way to solve this without another SSL.
Any ideas to point me in the right direction?
When your users go to www.ourcompany.com they get a session cookie for the www subdomain. By default, cookies are not shared across subdomains, which is why users going to ourcompany.com do not have access to their sessions.
There is a useful thread discussing this issue here. The suggested solution is:
By the way, I implemented a fairly good fix/hack today. Put this code
on every page: Response.Cookies["ASP.NET_SessionId"].Value =
Session.SessionID; Response.Cookies["ASP.NET_SessionId"].Domain =
".mydomain.com";
Those two lines of code rewrite the Session cookie so it's now
accessible across sub-domains.
Doug, 23 Aug 2005
Surely you are trying to solve the wrong problem?
Is it possible for you to just implement URL rewriting and make it consistent?
So for example, http://example.com redirects to http://www.example.com ?
For an example of managing rewriting see:
http://paulstack.co.uk/blog/post/iis-rewrite-tool-the-pain-of-a-simple-rule-change.aspx
From the browsers point of view, www.mysite.com is a different site than mysite.com.
If you have a rewrite engine, add a rule to send all requests to www that don't already have it.
Or (this is what I did) add a separate IIS site with the "mysite.com" host header and set the IIS flag to redirect all traffic to www.
In either of these cases, any time a browser requests a page without the www prefix, it will receive a redirect response sending it to the correct page.
Here's the redirect site home directory properties:
And the relevant host header setting:
This fixes the issue without requiring code changes, and incidentally prevents duplicate search results from Google etc.
Just an update, I was able to fix the problem with a web.config entry:
<httpCookies domain=".mycompany.com" />
After adding that, the problem went away.
I want to make some changes to my web site that requires some URL rewriting to keep my old URLs. I can't use proper URL rewriting because I have very limited control from my hosting provider.
As I'm using ASP.NET and all of my pages have the .aspx extension, one idea I had is to put something in the global.asax under the Application_BeginRequest event. This could check if the URL of the page requested is one of the old ones and use Server.Transfer to open the correct page.
My question is, would this transfer this invisible to Google? I don't want my ranking within Google to be affected.
Server.Transfer happens entirely on the server side, so any client (including Google) will not be aware of it.
The client (browser or bot) won't have any idea whatsoever that the Server.Transfer occurred. It will see only that it requested a given URL and got the content you return. There's no response to the client saying that you've moved things (that would be Response.Redirect).
In your case, it sounds like that would mean you'll have two URLs returning the same content — two identical pages — which could affect how search indexes treat the content (and certainly means you'll end up with people linking to both URLs, which could impact the rank of each URL).
You can address that by specifying what the canonical URL for the content is. More in this Google blog post, but basically, if you have both http://example.com/foo.aspx and http://example.com/bar.aspx returning the same content, and you want the canonical (official) URL to be http://example.com/bar.aspx, tell the indexers that:
<link rel="canonical" href="http://example.com/bar.aspx" />
Google is only bothered about the Page Content, It does'nt bother how the content is constructed on the web server. Since Server.Transfer is completely internal to a web request, i think you should be okay with your website rankings.
while implementing hhtps, is there a way not to show the message "Do you want to view only the webpage content that was delivered securely?" and force the answer to "no" as it will mess up with my css and javascript .
thanks
you may need to serve all the page elements, including the css and javascript from the SSL server.
Also see Dealing with HTTP content in HTTPS pages
That is implemented by the browser process, not the transport mechanism. There are plenty of custom implementations that would not show that warning, but most commonly available browsers will as it represents a potential security hole in the SSL process.
Essentially its the browser warning you that it only got part of the content from an SSL connection, and there is no way for you the end user to directly tell which page elements are from the trusted (i.e. SSL connected) host and which are from untrusted hosts.
If you want to avoid this, either consider placing your CSS/javascript in the pages directly, or limit your SSL to only specific pages which do not include those resources.
Follow these steps to turn this off, but as everything you with security you must weight the risks.
Navigate to Tools-> Internet Options-> Security
Select the "Security Tab"
Click the "Custom Level" button at the bottom
In the "Miscellaneous" section change "Display mixed content" to Enable
Then click the "OK" button
Fissh