I am using SSL on a web page where a customer makes a purchase. The page itself displays the proper insignia of an SSL connection. However, when my servlet makes a response, I do not see the SSL insignia. I fear that I am missing something, or that I am not maintaining an SSL connection throughout the process.
When the browser displays my page, purchase.html, it indicates that an SSL connection has been made: 1) the name of my site appears in the url line, and 2) the padlock symbol appears in the lower right corner of the browser. If I hover the cursor over either the url prefix or the padlock, I see the message “verified by GeoTrust”. So this looks good.
The customer presses the Submit button, and the page does a post, calling my servlet with an https url. The servlet understands what the page sends, and responds with html code. But I do not see the SSL insignia in the response page. I see “https” in the url, and the full url call to the servlet:
But I do not see the name of my site prefixing the url, and the padlock in the lower right is broken. If I cursor hover over the padlock, I get the message “warning: contains unauthenticated content”.
If I press the back page button of the browser at this point, I return to purchase.html, and it shows the proper insignia of an SSL connection. I press the Submit button again, and my servlet responds with an https url, but without the insignia.
I am concerned that I am losing the encrypted connection when sending a servlet response. The response does not contain any confidential information. But I do not like the disappearance of the insignia.
Is this normal behavior, or is there a lapse in the SSL connection? If this is a lapse, what must I do to make the servlet response show that it is truly SSL encrypted and verified? I don’t think that I need to see Java code at this point. I think that I need some higher level guidance on what I should be doing to maintain SSL throughout the purchase process.
I found the problem. One of the html lines of my response was loading an image from my website. The reference to the image was a hard-coded "http://*******". I changed that reference to "https://*******", and that corrected the problem. With that change, the servlet response showed all the proper insignia of SSL encryption.
Apparently the single reference to this image with "http:" was enough to make the browser regard the html source as insecure. Once the reference became "https:", the browser regarded the response as secure.
So the image resides within my web site. It is not "created" by the servlet, but is used by the servlet. There is probably a better way (relative path, rather than full url path) to specify banner.jpg's location, but I was being quick & dirty about getting to the image.