View Full Version : secure vs. non-secure issues in Miva5

01-23-2007, 01:51 PM
I am not 100% certain I have configured my store properly and need some assistance. I have been trying to finalize my upgrade to MivaMerchant5. In IE when switching to a secure part of the store (such as checking out or logging in) I get numerous pop-ups relating to insecure items. I think the issue is somewhere in my link to graphics; although all my links are relative links (using miva merchant soft paths) if I select "NO" to the security pop-ups none of my images will display. I have set up the MivaMerchant links to use


on the non-secure side, and


for the secure side; for secure graphics the baseref is:


while the baseref for the non-secure graphics is simply


I have looked through all of my code trying to find any absolute references that may be causing issues and cannot find any that have not been adjusted.

A link to the (new off line ) store is:


Any thoughts, comments, assistance will be appreciated.

01-24-2007, 11:09 AM
For some reason your base herf is not being set right.

<base href="http://www.uneed-a-uniform.com/mm5/">

I am not a miva user but I would look into the template that controls your header.

01-24-2007, 11:26 AM
Thanks, that is what I am trying to figure out: Either what should the code look like in the templates (I cannot find anything different in the Miva examples on their site), or do I have something incorrect in the Miva setup strings (that I show in my initial post)?

I'll keep searching and trying things...

01-25-2007, 01:35 PM
Check to make sure you haven't hardcoded any base URLs into your templates/pages. Also, double check your domain settings to make sure they're correct. I would re-enter and save them just to be sure.

I had a similar problem--with the exact opposite effect--when I first used Merchant on Westhost. See this post: 26781. My problem was related to an Apache directive instructing the server to initiate a secure connection for any request containing 'merchant.mvc' in the URL. This caused MM to set the base URL to my secure address, and load all of my graphics through the secure server. Can you post the contents of the miva.conf file I referenced in the aforementioned post?

01-26-2007, 06:55 AM

Thanks for your thoughts, I will check out that thread shortly.

As for further clues, we discovered late yesterday that the base href generated by Miva seems to be following whatever is entered in the domainsettings/siteconfig/secure GRAPHICS baseurl and sets the base href for every page (whether it should be secure or not) to that setting. In other words, it doesn't matter what the non-secure or secure Miva base url is set to, the pages generated by Miva are somehow using the setting for non-secure graphics (this can be set to either an http:// or https:// location, I have tried it both ways).

At this moment I have the non-secure graphics base url pointing to:


Unfortunately this slows down the loading of the site but at least I don't see all the security warnings in IE and the lock symbol is displayed.

I'll go check out the thread and do some digging and report back here. I also have an agenda this morning to pitch my boss for a dedicated SSL cert, maybe getting one of those will help alleviate some fo these hassles.

Thanks again,


01-26-2007, 07:12 AM

OK, just checked, everything is already as you suggested in that thread.

And I think I was just shot down (again) on a dedicated ssl cert.

Thanks again, I'm still open to thoughts and suggestions...


01-26-2007, 07:15 AM
Sorry, here is the miva.conf file:

AddType application/x-httpd-Miva .mv
AddType application/x-miva-compiled .mvc
Action application/x-miva-compiled /cgi-bin/mivavm
Action application/x-httpd-Miva /cgi-bin/miva

#SetEnvIf Request_URI admin\.mvc HTTPS=on
#SetEnvIf Request_URI admin\.mv HTTPS=on
#SetEnvIf Request_URI merchant\.mvc HTTPS=on
#SetEnvIf Request_URI merchant\.mv HTTPS=on

SetEnv MvCONFIG_DIR_MIVA /var/www/html
SetEnv MvCONFIG_DIR_DATA /usr/home/uneed-a-uniform/htsdata
SetEnv MvCONFIG_DIR_BUILTIN /usr/local/miva/lib/builtins
SetEnv MvCONFIG_DIR_CA /usr/local/miva/certs
SetEnv MvCONFIG_SSL_OPENSSL /var/www/html/mm5/openssl/lib/libssl.so
SetEnv MvCONFIG_SSL_CRYPTO /var/www/html/mm5/openssl/lib/libcrypto.so
SetEnv MvCONFIG_DATABASE_MySQL /usr/local/miva/lib/databases/mysql.so

SetEnv MvCONFIG_COMMERCE_CyberCash /usr/local/lib/mivalibs/cybercash.so
SetEnv MvCONFIG_COMMERCE_AuthorizeNet /usr/local/lib/mivalibs/authnet.so
SetEnv MvCONFIG_COMMERCE_LinkPoint /usr/local/lib/mivalibs/linkpoint.so
SetEnv MvCONFIG_COMMERCE_UPSRSS /usr/local/lib/mivalibs/upsrss.so
SetEnv MvCONFIG_COMMERCE_ICS2 /usr/local/lib/mivalibs/ics2.so
SetEnv MvCONFIG_COMMERCE_GlobalCommerce /usr/local/lib/mivalibs/globcomm-linux.so

01-26-2007, 02:32 PM
Okay, you should force WestHost support to resolve this issue for you. If your domain settings are correct, and there aren't any Apache directives changing the environmental variables, then it should be working.

I've never used MM5 on Westhost, so I'm not familiar enough with the peculiarities in running it in their hosting environment, but I HAVE seen MM5 stores on Westhost using their shared secure server. By all means, it should be working for you, too.

You don't need to purchase a dedicated cert to test whether or not it will make a difference. You can use the self-signed cert that's generated for you when you install (or configure) OpenSSL from the control panel. You'll still get a security pop-up regarding the authenticity of the cert, but you'll at least be able to see if it works properly with MM5.

By the way, you should uncomment the SetEnvIf statement that examines requests for 'admin.mvc'. Working securely in the admin area doesn't seem to work properly unless that line is present and enabled. (From my experiences, at least.)

#SetEnvIf Request_URI admin\.mvc HTTPS=onshould look like this:

SetEnvIf Request_URI admin\.mvc HTTPS=onThen, restart your VPS/Apache.

01-26-2007, 02:55 PM
Apparently, you already have the temp/self-signed cert installed. If you load your site using the secure address it's configured for, https://www.uneed-a-uniform.com/mm5/merchant.mvc?, you'll see that it uses the proper secure base url.

So, it would seem that getting a dedicated cert would resolve this issue for you. However, I think this shows that there must be some sort of misconfiguration in the server settings. I would still recommend you have Westhost look into this issue, especially if you still want to use the shared secure server.

01-31-2007, 02:33 PM

Thanks for taking the time to think about this. I will be coming back to this shortly, but for now I am trying to just get a few things fine tuned as we had to turn the store live. I agree that there is something awry in some config setting somewhere but I need to brush way up on my apache stuff before I get too lost in .htaccess and http.conf files.

Again, thanks and I will post any findings here.