R – Moving from one https page to another with a different certificate

httpsiissslworldpay

Imagine a bog-standard Signup page, which captures some user info like Name, Address etc.
It has a Buy Now button on it, which transfers to a payment site (WorldPay).

Now, the requirement is that everything should be secure, so that means (and correct me if I'm wrong)

A) I need to get and install an SSL certificate on IIS.

B) I then need to make the Signup page secure (looking at exactly how to do this but if anyone wants to let me know that would be grand!)

So, presuming that the Signup page is now https under one certificate, is there any reason AT ALL that there should be a problem redirecting to WorldPay (which is under SSL but under a different certificate) ?

I can't imagine why, I'm not going to be doing this over AJAX or anything (see HTTPS request via AJAX from HTTP page), but sometimes these things can bite you!

Thanks
Duncan

Best Answer

The only problem that I can forsee is that if you have a direct form POST from https://mysite.com/ to https://payment.net/ your users will most likely see a warning page (FF3.5 shows an "untrusted connection" in a similar scenario - it's there to deter phishing attacks). One possible solution to this would be to submit the mysite.com form to the mysite.com domain, and then have a controller or some such thing there that would redirect the user to payment.net from that. (You want to watch out that you aren't playing loosey-goosey with the user's private information by exposing it on a URL, however.)

My guess is that this question is something that your payment site needs to deal with quite frequently. I'd suggest contacting them to find out if they have specific recommendations for handling SSL, warnings, and so on.

Related Topic