PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Security warning after payment

  1. I'm new, so please be nice... :-)

    I just set up my first site with Gravity forms, after paying and clicking the button to return to the site, Chrome dies, but if I try it in Firefox I get this warning
    http://dl.dropbox.com/u/26727846/security.png

    Obviously I don't want to scare the visitors, is that because I dont have an SSL cert? I was under the impression that Paypal took care of security as they are receiving the payment? what exactly is unsecure? the form info?

    If I do need SSL, Will adding it now break anything?

    Thanks

    Posted 12 years ago on Tuesday March 6, 2012 | Permalink
  2. Hi, lukef,

    You are seeing the security message because once you click to return to the site, the connection is no longer secure. You are being sent back to the form to show the confirmation message, page, or redirect url. To prevent this, you can have your form setup securely on SSL, so that when the redirect from PayPal back to your site occurs, the session is secure on both ends. Making the form secure now won't break anything.

    Posted 12 years ago on Wednesday March 14, 2012 | Permalink
  3. bhays
    Member

    I'm getting the same warning, but I do have a SSL certificate installed. Torm is submitted via HTTPS but is trying to return to HTTP, is there a way to force the return address from PayPal to be HTTPS?

    Posted 12 years ago on Friday March 30, 2012 | Permalink
  4. bhays
    Member

    Apparently, the HTTPS is checked via the $_SERVER global on line 2595. This should work fine in most circumstances, but thanks to Network Solutions and their proxy SSL it does not. I had to hard code the https in for now.

    And on that note, stay away from Network Solutions at all costs.

    Posted 12 years ago on Friday March 30, 2012 | Permalink
  5. So, essentially then if you want to use Gravity form PayPal plugin you need a security certificate? Well it's not essential I guess, but I think that this security warning would make for very unhappy and unsure customers, so really it is needed.

    Is there any alternative solution? I'm wondering because the big benefit of using PayPal is not having to worry about this and clients being able to save on the SSL certificate cost.

    Thanks a ton!
    Trevor

    Posted 12 years ago on Monday April 30, 2012 | Permalink
  6. David Peralty

    If you don't redirect back to your form then this issue is moot and you don't need a SSL. If is only because you are sending data back from a secure site to a non-secure one that this error should appear.

    Posted 12 years ago on Tuesday May 1, 2012 | Permalink
  7. Thanks for getting back to me so fast. My concern is that if you stop people from redirect back to your site, don't you lose the ability to present a follow-up / thank you message after someone makes a purchase--which is pretty much essential ?

    Also, how would I stop PayPal from re-directing back to website if I do want to go this route? I don't have "Auto Return" on PayPal, but I don't think you can remove the link back to your website, so I'm not sure how to stop people from clicking back through and getting the warning?

    Thanks again!

    Posted 12 years ago on Tuesday May 1, 2012 | Permalink
  8. David Peralty

    Unfortunately, I'm no expert in Paypal, but I have paid for a number of things with my Paypal account, and not all of them have redirected me back afterwards. I can say that you are correct in everything else, but it looks like if you want to pass any details back to your site, you'll need an SSL to get rid of that warning.

    I'm not sure how to do it, but if you could create a thank you page without any kind of details from the transaction in it, you probably won't get that warning, but you would be best to talk to Paypal directly about that.

    Posted 12 years ago on Tuesday May 1, 2012 | Permalink
  9. Just wondering if anyone else has any ideas on this security warning?

    I'm surprised this isn't a bigger concern from Gravity Form users...I thought for a lot of folks the whole idea of using PayPal is so you don't need an SSL certificate, but then isn't everyone without an SSL getting this security warning whenever someone finishes their transaction and clicks the return to website button on Paypal?

    Thanks in advance!

    Posted 12 years ago on Friday October 5, 2012 | Permalink
  10. I have never received this error message when returning to my site after completing a Gravity Forms/PayPal transaction. I don't have an SSL certificate. I wonder if it's a browser or OS thing? Which browser are you using and on what operating system?

    Posted 12 years ago on Friday October 5, 2012 | Permalink
  11. I was always getting that Security Warning, until I tried setting the "rm" parameter to "1", rather than "2", in paypal.php, as described towards the bottom of this post:

    http://www.gravityhelp.com/forums/topic/this-page-is-unsecured

    As I'd rather not have to edit the code, and lose the change when updating the plug-in, could a permanent fix implementing this be investigated?

    Posted 12 years ago on Sunday October 14, 2012 | Permalink
  12. I've brought this issue and the other post you linked to to the attention of the developers. Thank you.

    Posted 12 years ago on Sunday October 14, 2012 | Permalink
  13. The rm PayPal parameter is used to control how the page is sent back from PayPal to your site. With rm=1, PayPal will simply redirect the user to your site, and rm=2 will actually post the data back to the site. We have decided to use rm=2 as that could be useful for some users that need to display that information on their pages. I am not sure why the warning message is being displayed, but that is something specific to some configurations, and not to everybody. We will look for a way to allow the rm parameter to be changed via a hook and also try to find out why the return URL is not using HTTPS for some users.

    Posted 12 years ago on Tuesday October 16, 2012 | Permalink

This topic has been resolved and has been closed to new replies.