Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Check User Agent


FixItPete

Recommended Posts

In my Admin I always had Check User Agent set to True... I was recently told that I should try to set it to False to take care of a problem I was having (Enhanced Who's Online contribution issue) My question is this:

 

A) The "Check User Agent" details indicate that it will check the user's agent on every page load if set to "True" --- So, if set to false, when does it check, and why would this matter?

 

B) Do the search engines care which way this is set? If they do, why? If they don't who does care?

 

Thank you so much for your time,

 

Pete

I find the fun in everything.

Link to comment
Share on other sites

In my Admin I always had Check User Agent set to True... I was recently told that I should try to set it to False to take care of a problem I was having (Enhanced Who's Online contribution issue) My question is this:

 

A) The "Check User Agent" details indicate that it will check the user's agent on every page load if set to "True" --- So, if set to false, when does it check, and why would this matter?

 

B) Do the search engines care which way this is set? If they do, why? If they don't who does care?

 

Thank you so much for your time,

 

Pete

 

I still don't get it... what is the point to this? I've been looking and reading and nothing explains why you would want it set to true. Confused.

I find the fun in everything.

Link to comment
Share on other sites

I still don't get it... what is the point to this? I've been looking and reading and nothing explains why you would want it set to true. Confused.

 

checking on user agent changes during a session is one of several security features that come with default osc. It is basically to prevent session hi-jacking. The useragent is stored in the session and the useragent given by every request is compared to that. if the useragent is different then the assumption is made that another user is trying to use someone else's session and then the session is destroyed.

 

The same is done with ip checking but that is not so good as some users (AOL) have changing ip addresses during the same session which would cause session destruction on very ip change.

 

Useragents normally do not change during a session.

So of all the different checks of the default osc install, the useragent one is the safest if you choose to enable such a hi-jack check.

Treasurer MFC

Link to comment
Share on other sites

checking on user agent changes during a session is one of several security features that come with default osc. It is basically to prevent session hi-jacking. The useragent is stored in the session and the useragent given by every request is compared to that. if the useragent is different then the assumption is made that another user is trying to use someone else's session and then the session is destroyed.

 

The same is done with ip checking but that is not so good as some users (AOL) have changing ip addresses during the same session which would cause session destruction on very ip change.

 

Useragents normally do not change during a session.

So of all the different checks of the default osc install, the useragent one is the safest if you choose to enable such a hi-jack check.

 

 

Thanks Amanda...

 

Does that mean that is two people come in off a link that has a session id, they may be able to see information they shouldnt'?

I find the fun in everything.

Link to comment
Share on other sites

Thanks Amanda...

 

Does that mean that is two people come in off a link that has a session id, they may be able to see information they shouldnt'?

 

well, possibly.

 

you have 2 scenario's.

 

1) the innocent one where your page may have been indexed with a session id and 2 people click that link in the same timeframe.

 

Osc has the nasty habbit that it will create a sessionid if it does not exist based on the id in the url.

so if sessionid AAA does not (no longer) exist but you use a link with osCSid=AAA as parameter then osc will actually create a session with that id. THE biggest security hole in osc in my opinion.

 

That would mean that those people will share the same session id and see eachothers information.

 

But chances are reasonable that they have different useragents. if that is the case, the session is immediately destroyed when the second one comes in and each are given a new session id (different ones).

 

2) someone deliberately changes his session id in the url with the intend to hi-jack someones id.

the chances of that are extremely remote since it is a 32 character number you will have to guess and that sessionid has to be in use by someone else or there is no hi-jacking ofcourse but it is possible.

Treasurer MFC

Link to comment
Share on other sites

well, possibly.

 

you have 2 scenario's.

 

1) the innocent one where your page may have been indexed with a session id and 2 people click that link in the same timeframe.

 

Osc has the nasty habbit that it will create a sessionid if it does not exist based on the id in the url.

so if sessionid AAA does not (no longer) exist but you use a link with osCSid=AAA as parameter then osc will actually create a session with that id. THE biggest security hole in osc in my opinion.

 

That would mean that those people will share the same session id and see eachothers information.

 

But chances are reasonable that they have different useragents. if that is the case, the session is immediately destroyed when the second one comes in and each are given a new session id (different ones).

 

2) someone deliberately changes his session id in the url with the intend to hi-jack someones id.

the chances of that are extremely remote since it is a 32 character number you will have to guess and that sessionid has to be in use by someone else or there is no hi-jacking ofcourse but it is possible.

 

 

Thank you Amanda, yet again. I think I'll be turning it back to "True".

I find the fun in everything.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...