Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Why are multiple pages served when SSL is turned on?

Status
Not open for further replies.
rlawrence

rlawrence

Programmer
Sep 14, 2000
182
0
0
US
Recently, my web sites have been sending out two confirmation emails for orders submitted. Both the web site owner and the customer get the duplicate emails. Occasionally, these emails have been sent out in triplicate!

This behavior began conspicuously after updating (GoDaddy.com) security certificates. Recently GoDaddy has required 2048-bit encryption keys. No one I've talked to--including GoDaddy techs think that the certificates have anything to do with this behavior.

However, further testing revealed that when an order is submitted on one of these sites, the response page (which sends out the emails) will be called at least twice--one under HTTPS and the other under normal HTTP!


I have a function that allows me to force SSL on for pages where it is desireable. Here's the code:

Code: 
'#######
'SSLOn(string cPath) : null
'    If the application is currently running on regular HTTP, and
'    DISABLE_SSL is FALSE, redirect to HTTPS Call within a page that
'    you wish to send over a secure connection, providing the file
'    name of the page as an argument.  WARNING: May call
'    Response.Redirect, ending execution of the ASP page
'#######
Sub SSLOn(cPath)
    Dim nSecure, cURL, cServerName
    nSecure = Request.ServerVariables("SERVER_PORT_SECURE")
    If nSecure <> 1 Then

        cURL = "[URL unfurl="true"]https://"[/URL] & Request.ServerVariables("HTTP_HOST") & _
             Request.ServerVariables("URL") & "/../" & cPath

        ' Forget about trying to use SSL on the local host.
        cServerName = Request.ServerVariables("SERVER_NAME")
        If not DISABLE_SSL Then
            Response.Redirect cURL
            'Response.Write "Redirect to:  " & cURL
        else
            if not DISABLE_SSL_WARNING then
                call Notice("SSL Disabled", _
                            "User name, password, and any other " &_
                            "information you enter will not be transmitted " &_
                            "securely and could potentially be viewed by " &_
                            "others.  SSL should only be disabled when " &_
                            "necessary during testing, and real accounts " &_
                            "should not be used while SSL is disabled.")
            end if
        End If
    End If
End Sub

I have a similar routine to turn SSL off for a given page.

You can see that the routine tests the SERVER_PORT_SECURE variable to determine whether SSL is available, and then redirects using HTTPS if it is. It looks to me like the original request is being served despite the redirection.

I'm still confused why these new 2048-bit certs would cause this to happen. I don't believe this happens on sites that haven't got the renewed certificates.

The server is Windows 2003 and IIS6. Any insights would be appreciated.

Thanks in advance,

Ron
 
Sort by date Sort by votes
I spent the better part of another day on this. I have a test procedure, TestEmailSend.asp, that simulates the same process as my order confirmation. I've included everything from the order process--including the formulation of an order confirmation email, updating the database with the order in context, and finally, firing off the email. My two routines look the same, yet only one generates the duplicate emails--again one set is via SSL, the other via normal HTTP.

I know that there still has to be some difference between the execution of these two procedures, but it's not in the code. (Famous last words, I know.) It seems that it has to be something to do with how the request to the order confirmation page is handled by IIS.

In my test case, I'm simply resubmitting an already saved order that has a total of Zero. (We have been offering a version of our accounting software for free.) This is a simple <form ...action="NoCharge.asp"> "Submit" to the processing page.

Code: 
<form method="post" action="NoCharge.asp">
  <input type="submit" name="submit" value="Submit Order"/>
</form>

In my testEmail.asp page, I do a form submit to TestEmailSend.asp to simulate the same process. My test pages do not generate the duplicate emails, whereas the submit to "NoCharge.asp" does.

Furthermore, in both scenarios, The initiating page has SSL turned ON, and the resulting (order processing) pages turn SSL OFF.

I'm still looking for ideas on what could cause the order processing page to be called twice. It is definitely being called twice from the same submit!

Any thoughts would be greatly appreciated.

Ron
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

JScannell
  • Locked
  • Question
Border issue with Google Chrome on an Android phone
Replies
0
Views
72
JScannell
JScannell
penguinspeaks
  • Locked
  • Question
READ TEXT FILE BASED ON VARIABLE 1
Replies
2
Views
78
guitarzan
guitarzan
penguinspeaks
  • Locked
  • Question
Return to current location on page after asp processes.
Replies
2
Views
88
penguinspeaks
penguinspeaks
penguinspeaks
  • Locked
  • Question
Parse a database field that is comma delimited and input the results into another table
Replies
0
Views
75
penguinspeaks
penguinspeaks
leifoet
  • Locked
  • Question
How to check if a datatable is empty ?
Replies
0
Views
74
leifoet
leifoet

Part and Inventory Search

Sponsor

Back
Top