booster Posted January 5, 2005 Posted January 5, 2005 Has anyone ever come across a situation where the "wrong" customer details are filled into a customers order? Only happens every so often, the billing and shipping details are correct - but the customer address details belong to someone else! The site uses a shared SSL on a different domain and originally the session IDs were file based - now stored in mysql - but that apparently hasn't fixed it. The orders are placed through the standard cc module. The only thing I can think of is that the switch from cart to check-out is somehow being screwed up by the way the shared SSL is being implemented. But if so can't see any way to check that? define('HTTP_SERVER', 'http://www.myserver.com'); // eg, http://localhost - should not be empty for productive servers define('HTTPS_SERVER', 'https://securehostXX.hrwebservices.net/~myserver'); // eg, https://localhost - should not be empty for productive servers define('ENABLE_SSL', true); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'www.myserver.com'); define('HTTPS_COOKIE_DOMAIN', ''); define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', ''); define('DIR_WS_HTTP_CATALOG', '/catalog/'); define('DIR_WS_HTTPS_CATALOG', '/catalog/'); Anyone got any suggestions? Dave.
booster Posted January 5, 2005 Author Posted January 5, 2005 On a may be related note... How can you determine if an osCommerce installation has been upgraded in the past? Am I correct in believing that with MS1 the Admin directory was at the same level as the Catalog directory rather than being under the Catalog with MS2? Dave.
♥Vger Posted January 5, 2005 Posted January 5, 2005 It can be that a searched engine cached a page with one customers session id on it, and the new customer entered the site from that link and had that session id. You can also try this pathway define('HTTPS_SERVER', 'https://securehostXX.hrwebservices.net/myserver.com'); //depends on the shared ssl set up as to which one is right Vger
booster Posted January 5, 2005 Author Posted January 5, 2005 It can be that a searched engine cached a page with one customers session id on it, and the new customer entered the site from that link and had that session id. You can also try this pathway define('HTTPS_SERVER', 'https://securehostXX.hrwebservices.net/myserver.com'); //depends on the shared ssl set up as to which one is right Vger <{POST_SNAPBACK}> Good point re: the session id capture - especially considering the owner had used embedded osc SIDs in some image links in a HTML page - until I cleared them out a week or so ago! Arghh... I guess he's going to suffer from this for a while since these oscsid links are going to persist in Google and else where for a while. Anyone have any tips on anything that can be done to help this situation? :'( Dave
♥Vger Posted January 6, 2005 Posted January 6, 2005 Install a full ssl cert and turn on 'Force Cookie Use'. It will prevent all spiders (listed or not) from generating session ids. Vger
aspen Posted October 17, 2006 Posted October 17, 2006 This problem has been happening to me, I'm fairly certain its not SE related as I have the session id spider hack installed.
martijn.vreeken Posted March 21, 2007 Posted March 21, 2007 I have the exact same problem too, as wel as an angry client. My session settings are: Session Directory /tmp Force Cookie Use False Check SSL Session ID False Check User Agent False Check IP Address False Prevent Spider Sessions True Recreate Session True Should I turn Force Cookie Use on? Would Check IP Address help?
fxeq12 Posted March 24, 2007 Posted March 24, 2007 I have the exact same problem too, as wel as an angry client.My session settings are: Session Directory /tmp Force Cookie Use False Check SSL Session ID False Check User Agent False Check IP Address False Prevent Spider Sessions True Recreate Session True Should I turn Force Cookie Use on? Would Check IP Address help? Yes my probelm is exactly the same as you describe - have you had any luck with adjusting the session variables?
♥Vger Posted March 24, 2007 Posted March 24, 2007 1. Purchase a full ssl cert (not shared) and set Force Cookie Use to 'true' 2. Make sure that you are not using the Cache facility when your site is on a shared server 3. Make the last line of both configure.php files read 'mysql' where indicated. This stores session data in the database and not in files, and the database automatically clears inactive sessions after 23 minutes of complete inactivity. Vger
fxeq12 Posted March 26, 2007 Posted March 26, 2007 1. Purchase a full ssl cert (not shared) and set Force Cookie Use to 'true'2. Make sure that you are not using the Cache facility when your site is on a shared server 3. Make the last line of both configure.php files read 'mysql' where indicated. This stores session data in the database and not in files, and the database automatically clears inactive sessions after 23 minutes of complete inactivity. Vger This store doesn't see a lot of activity but 3 orders later it seems to be fine. Thank you so much for the advice.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.