Secure Socket Layer
SSL (Secure Socket Layer) technology encrypts data exchanged between a server and a browser. When SSL is used, information is exchanged using the HTTPS protocol instead of the HTTP protocol, where data travels unencrypted. The address of a page delivered using the HTTPS protocol will typically become https://www.myserver.com/mypage.html.
Because data is encrypted before being sent, the speed of the transmission is lower. This is the reason why not all pages of an online store are delivered using HTTPS, but only the ones that collect or display sensitive information, such as the pages where payment information is collected during the check out process.
This is also true with your ProductCart store, which uses SSL during the check out process only for the pages where payment and personal information is entered
In ProductCart, you may use either a dedicated SSL certificate (issued specifically for your domain name), or a shared SSL certificate, provided to you by your Web hosting company. ProductCart strongly recommends the use of a dedicated SSL certificate.
Dedicated SSL CertificatesWhen you use a dedicated SSL certificate, the URL contains your domain name (e.g. https://www.mycompany.com). Dedicated SSL certificates have become quite affordable over the years, and are definitely the way to go.
Make sure that you order an SSL certificate for the domain name used on your store, including the “www” (if you have set your store up using “www”). For example, if your store is “www.MyStore.com” and your links (e.g. in search engines) use the “www”, then the SSL certificate should be issued for the domain "www.MyStore.com" and not for "MyStore.com". This is typically the case. If you get a certificate for “MyStore.com” and then try to access that secure site using the "www.MyStore.com" URL, you will receive a warning message indicating that the certificate was issued for a domain that does not match the domain you are visiting.
Shared SSL Certificated
A shared SSL certificate typically uses a generic domain name that has been registered by your Web hosting company (e.g. https://server.mycompany.com), together with your account name or number. The exact address changes from one Web hosting provider to another. Check with your Web hosting provider to obtain this information.
We do not recommend the use of shared SSL certificates because there are some technical limitations (see note below). In addition, dedicated SSL certificates have become quite inexpensive and look much more professional to your store visitors (no domain name change when they move to a secure page).
- If you are using the Parent Path Disabled version of ProductCart
- If the Secure Certificate is installed on a different server than the one hosting your Web store
- If the hosting company requires the to-be-secure pages to be placed in a special directory on the Web server
- If you are using ProductCart v4 or above, and using one or more custom/offline payment options.Since in v4 these payment options are not shown on a separate page, but rather as part of the new “One Page Checkout” system, ProductCart will never switch to a secure URL. If will only switch to a secure URL (secured through the shared SSL certificate) when loading a separate payment page. That - in v4 and above - only occurs when using a payment gateway.
SSL SettingsIf you use SSL on your online store, check the This Store Uses SSL option, and enter the URL to your secure site. You can instruct ProductCart to switch to a secure page (from HTTP to HTTPS):
- At login/checkout-This is the recommended option, but you can only use it if you are using a dedicated SSL certificate. Check this option if you want the store to switch to the Secure Socket Layer when customers begin the registration or checkout process. For technical reasons, this option requires that you are using a dedicated SSL certificate. Do not check this option if you are using a shared SSL certificate or the shopping cart will show an error during checkout indicating that the shopping cart is empty.
- On the Payment Page- Check this option to have ProductCart switch to SSL before the customer enters payment information. You must select this option if you are using a shared SSL certificate.
SSL Certificate ProvidersJust as a reference, here is a list of companies that issue SSL certificates (prices vary significantly as they include difference services, especially different levels of insurance). Contact these and other SSL certificate providers for more information. Your Web hosting company might also sell SSL certificates directly (and sometimes will give you a deal when you purchase one as you order or upgrade your Web hosting account).
Security WarningsWhen a page is loaded via the HTTPS protocol, all elements loaded onto the page must be coming through the HTTPS protocol. Otherwise, your customers may receive a security warning such as the one shown below.
If you are getting this warning, read through this article, How to Avoid Security Warnings on a Secure Page.
SSL and IIS7
IIS7 has a setting called “New ID On Secure Connection (keepSessionIdSecure)”. This generates a new cookie when a transition from a non-secure to a secure connection is made. The default is True. Change this to False if you can, or ask your hosting company to make the change.