I'm setting up authorize.net SIM with my shopping cart. Just submitted a test transaction and everything worked perfectly EXCEPT when being redirected back to my cart to show the order confirmation, the security dialog box came up with the "do you want to proceed" yes or no thing in IE. My checkout pages on the cart are not https because I'm not collecting any credit card data. Why is the dialog box coming up? Does the very act of going from https to http cause this? Is there a fix?
What's to correct? It sounds like it's working as it should. You are going from a secure page (https) to a non-secure page (http) so the alert box is appropriate. Don't most users understand this and take it in stride?
The only way to avoid the alert is to not go from a secure page (not a good idea), or to continue on to another secure page.
This does not seem right though. I don't recall the dialog coming up in the past when going from https to http. Someone else just tested it for me in Firefox and said there were no dialog boxes coming up. It must be an IE thing. If I go ahead and get an SSL for my checkout pages, it will eliminate the problem, but then if they leave the order confirmation page to go some place else on the site, won't it just happen again?
If the customer is on a https:// page and clicks on a http:// link, there will be no security box. However, ff you redirect a customer from an https:// page to another http:// page, then there will be a security box because the browser is warning the customer of a change in security that they didn't request. I believe forms will also cause a security box because the url is not obvious to the customer, but I am not 100% sure on that.
Ah thanks for clearing that up. There is no click taking place. As soon as I click the submit button, it happens quite fast and the user is directed back to the site. I suppose the only way to get around this is to use SSL for the checkout pages?
Use SSL for any page that has sensitive information being sent. All of the links on that page that lead to non-sensitive pages (such as the home page) can be http:// links. This won't cause any red flags and won't put the extra burden on the server to encrypt every page.