radical hacks Secure Server Workaround for Webstore sent in the following documentation on how to provide a workaround for the secure server dilemma with WebStore.

Selena Sol's Web Store Script Secure Server Workaround White Paper

George A. Roberts IV
Vice President of Interactive Media
Now Computing

February 2, 1999

One of the biggest problems with the Web Store script is that when attempting to use it with a secure server according to the documentation, it only goes into secure mode when the user hits "submit" on the form that includes their credit card information. While this is technically secure, most users expect to see the secure icon on their web browser when the form is displayed.

Due to technical limitations of the script, this is not possible in the original implementation. The reason for this is that every action is processed through a form on the page, with all actions being processed through the same form. Due to the way that forms work in HTML, there is only one possible action for a form. This means that all actions (i.e. view cart, add item, checkout) must lead to either a non-secure location or a secure location. You cannot have all the options go to a non-secure location except the checkout button.

The Workaround
However, there is a way around this. The general idea is to modify the script where it processes the "checkout" request and have it send an HTTP redirect to the location of your secure copy of the script.

The modifications are fairly routine, however there is one possible side effect. To make this modification, you must move the line in the script that outputs the "Content-type" string to the browser to another location to facilitate this change. The possible side effect is that should an error occur loading one of the included libraries at the beginning of the script, the script will not be able to output its error message to the browser. However, the likelihood of this occuring, in my opinion, are fairly small, and this is a small price to pay for this increased functionality.

One of the goals in this workaround was to save you from making large amounts of changes to your site and to the script. This workaround achieves that goal.

The first thing that needs to be done is this:

Create the following section in your script:

if ($form_data{'order_form_button'} ne "")
  print "Location: $sc_order_script_url?order_form_display=on&page=$page&cart_id=$cart_id\n\n";

print "Content-type: text/html\n\n";

If you are using graphical buttons, remember to place the ".x" after "order_form_button".

This section should be created immediately above the large block of if-then statements that process the form commands. You should find the original location of the "Content-type" print command in your script and delete that line.

Then, find the original section that processes the "order_form_button" form field, and change "order_form_button" to "order_form_display". DO NOT PUT A ".x" AFTER IT, EVEN IF YOU *ARE* USING IMAGES AS YOUR BUTTONS.

Make sure that your $sc_order_script_url variable in your setup file points to your secure copy of the script.

The basic overview of the process that the user will go through now is this:

The user browses your store like normal, adding items just like normal, all in unsecure mode. Once they click on "Checkout" (or equivalent on your store), the form will be submitted to your non-secure copy of the script. That copy will receive the "order_form_button" command and will output an HTTP Location response that will tell the browser to redirect to the secure copy of your script, passing in the cart_id on the commandline. The browser will then load the secure copy of your script and allow the user to checkout in fully secure mode.

Additional Information
Any questions, comments, thoughts, or suggestions can be addressed via internet e-mail to .

Now Computing is available for CGI programming and customization for reasonable hourly rates. If you would like work done on your copy of Web Store, please feel free to contact us via e-mail at .