Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to fix links to my site with osCid=...


jdvb

Recommended Posts

Posted

Customers copy paste a url into an e-mail, with an osCid in it,

send that e-mail to multiple recipients, and becouse their IP does not match that of the poster they are redirected to the login page.

I could set check IP to false, but then they would get the same session.

Somehow this problem only arose since the last update, and I now see many visitors with the login.php page as their first page on my site.

 

For those osCid links posted on other websites and customers who do allow me to see the referrer I could set up an .htaccess rewrite rule to strip the osCid part from the url when the referrer is not empty or equel to my own site, but that is only a partial solution to the problem.

 

I could also try and set the check ip function differently to simply create a new session for those visitors that have a different ip than set in the session variables. But then customers with changing IP's get screwed, and will not be able to place an order. Better might be to then only check IP when it a cookie has not been set, and to store the IP the session was placed from in the cookie, and to verify that instead.

 

Hase anyone else got any other idees? Perhaps some more simple to implement than my second idee?

Posted
Customers copy paste a url into an e-mail, with an osCid in it,

send that e-mail to multiple recipients, and becouse their IP does not match that of the poster they are redirected to the login page.

I could set check IP to false, but then they would get the same session.

Somehow this problem only arose since the last update, and I now see many visitors with the login.php page as their first page on my site.

 

For those osCid links posted on other websites and customers who do allow me to see the referrer I could set up an .htaccess rewrite rule to strip the osCid part from the url when the referrer is not empty or equel to my own site, but that is only a partial solution to the problem.

 

I could also try and set the check ip function differently to simply create a new session for those visitors that have a different ip than set in the session variables. But then customers with changing IP's get screwed, and will not be able to place an order. Better might be to then only check IP when it a cookie has not been set, and to store the IP the session was placed from in the cookie, and to verify that instead.

 

Hase anyone else got any other idees? Perhaps some more simple to implement than my second idee?

 

ip checking is a bad idea as ip's can change on every request (aol), then better use user-agent checking as that changes rarely per user per session.

 

If people email session id's and people en mass start to use it, and have the same user-agent, there is no prevention for that.

 

The only prevention I use is to check if the requested session (if in the url) is still active and if not, disregard that session id. That way everyone who comes in with the same session id will get a new one. In other words, no session id can be used unless explicitely issued by my system.

(Default osc simply activate any session id you request and as such will activate any indexed session id for everyone who requests it)

 

Still, that only functions if the session is no longer active and as such better suited for indexed links as the chance that the session is still active when it has reached the index is virtually nil. It will ofcourse also catch emailed session id's if they happen to use it after the session has expired.

Treasurer MFC

Posted

thank you.

for all that would like this solution:

 

in aplication_top.php replace

	if ($SESSION_IP_ADDRESS != $ip_address) {

  tep_session_destroy();

  tep_redirect(tep_href_link(FILENAME_LOGIN));

}

with

if(isset($HTTP_GET_VARS['osCsid'])) {
$sessionisnotactive = $HTTP_GET_VARS['osCsid'];
  $value_query = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($sessionisnotactive) . "' and expiry > '" . time() . "'");
  $value = tep_db_fetch_array($value_query);

  if (!isset($value['value'])) {
  tep_session_destroy();

$newpagetoredirectto = $_SERVER['REQUEST_URI']; 
$newpagetoredirectto = preg_replace("#(.*?)\?osCsid=(.*)#s", "\\1", $newpagetoredirectto);
	header("location: $newpagetoredirectto");
}
}

and set check session ip to true (it will not check ip, but wether or not the session is active, since that function has just been replaced).

 

edit: typo

Posted
thank you.

for all that would like this solution:

 

in aplication_top.php replace

	if ($SESSION_IP_ADDRESS != $ip_address) {

  tep_session_destroy();

  tep_redirect(tep_href_link(FILENAME_LOGIN));

}

with

if(isset($HTTP_GET_VARS['osCsid'])) {
$sessionisnotactive = $HTTP_GET_VARS['osCsid'];
  $value_query = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($sessionisnotactive) . "' and expiry > '" . time() . "'");
  $value = tep_db_fetch_array($value_query);

  if (!isset($value['value'])) {
  tep_session_destroy();

$newpagetoredirectto = $_SERVER['REQUEST_URI']; 
$newpagetoredirectto = preg_replace("#(.*?)\?osCsid=(.*)#s", "\\1", $newpagetoredirectto);
	header("location: $newpagetoredirectto");
}
}

and set check session ip to true (it will not check ip, but wether or not the session is active, since that function has just been replaced).

 

edit: typo

 

yes, for mysql stored sessions. I use files so I have this code:

 

if (isset($_GET[tep_session_name()])) {

if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) {

unset($_GET[tep_session_name()]);

session_regenerate_id();

}

}

Treasurer MFC

Posted

I edited my own code to include a moved permanent header:

		header("HTTP/1.1 301 Moved Permanently");
	header("location: $newpagetoredirectto");

 

now any spidered session_id's will be removed from any search engine's after a revisit.

also aplied the spiders session fix from Boxtel (contribution).

Posted

I believe I have an older build that doesn't have that code. In my application_top.php, I have:

 

define('TABLE_SESSIONS', 'sessions');

 

 

 

// check if sessions are supported, otherwise use the php3 compatible session class

if (!function_exists('session_start')) {

define('PHP_SESSION_NAME', 'sID');

define('PHP_SESSION_SAVE_PATH', '/tmp');

 

include(DIR_WS_CLASSES . 'sessions.php');

}

 

// define how the session functions will be used

require(DIR_WS_FUNCTIONS . 'sessions.php');

tep_session_name('osCsid');

Posted

the code from both the mysql fix and the file fix can be placed after the

if (!function_exists('session_start')) { 
..... 
...
}

part.

 

I do recomend using the redirect for the 301 permanent redirect (search engines will strip the osCsid part from their search results.

if(isset($HTTP_GET_VARS['osCsid'])) {
$sessionisnotactive = $HTTP_GET_VARS['osCsid'];
  $value_query = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($sessionisnotactive) . "' and expiry > '" . time() . "'");
  $value = tep_db_fetch_array($value_query);

  if (!isset($value['value'])) {
  tep_session_destroy();

$newpagetoredirectto = $_SERVER['REQUEST_URI'];
$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);
	header("HTTP/1.1 301 Moved Permanently");
	header("location: $newpagetoredirectto");
exit();
}
}

 

and for files:

if (isset($_GET[tep_session_name()])) {
if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) {
unset($_GET[tep_session_name()]);
}
$newpagetoredirectto = $_SERVER['REQUEST_URI'];
$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);
	header("HTTP/1.1 301 Moved Permanently");
	header("location: $newpagetoredirectto");
exit();

}

also the check user agent feature that is by default in the aplication top I would change:

 

	if ($SESSION_USER_AGENT != $http_user_agent) {

  tep_session_destroy();

  tep_redirect(tep_href_link(FILENAME_LOGIN));

}

change to:

 

	if ($SESSION_USER_AGENT != $http_user_agent) {

  tep_session_destroy();

$newpagetoredirectto = $_SERVER['REQUEST_URI'];
$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);
	header("HTTP/1.1 301 Moved Permanently");
	header("location: $newpagetoredirectto");
exit();

}

this way the customer does get to see the page he wants to, the search engine results get striped of the osCsid part, and the customer gets a new session.

 

edit: typo

Posted

My code doesn't have that either. Here is my entire application_top.php file:

 

<?php

/*

$Id: application_top.php,v 1.264 2003/02/17 16:37:52 hpdl Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

// start the timer for the page parse time log

define('PAGE_PARSE_START_TIME', microtime());

 

// set the level of error reporting

error_reporting(E_ALL & ~E_NOTICE);

 

// check if register_globals is enabled.

// since this is a temporary measure this message is hardcoded. The requirement will be removed before 2.2 is finalized.

if (function_exists('ini_get')) {

ini_get('register_globals') or exit('FATAL ERROR: register_globals is disabled in php.ini, please enable it!');

}

 

// disable use_trans_sid as tep_href_link() does this manually

if (function_exists('ini_set')) @ini_set('session.use_trans_sid', 0);

 

// Set the local configuration parameters - mainly for developers

if (file_exists('includes/local/configure.php')) include('includes/local/configure.php');

 

// include server parameters

require('includes/configure.php');

 

// CATALOG_PRODUCTS_WITH_IMAGES_mod

# START Printable Catalog V 2.3

define('FILENAME_CATALOG_PRODUCTS_WITH_IMAGES', 'catalog_products_with_images.php');

# END Printable Catalog V 2.3

 

// define the project version

define('PROJECT_VERSION', 'osCommerce 2.2-MS1');

 

// set the type of request (secure or not)

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

// define the filenames used in the project

define('FILENAME_ACCOUNT', 'account.php');

define('FILENAME_ACCOUNT_EDIT', 'account_edit.php');

define('FILENAME_ACCOUNT_EDIT_PROCESS', 'account_edit_process.php');

define('FILENAME_ACCOUNT_HISTORY', 'account_history.php');

define('FILENAME_ACCOUNT_HISTORY_INFO', 'account_history_info.php');

define('FILENAME_ADDRESS_BOOK', 'address_book.php');

define('FILENAME_ADDRESS_BOOK_PROCESS', 'address_book_process.php');

define('FILENAME_ADVANCED_SEARCH', 'advanced_search.php');

define('FILENAME_ADVANCED_SEARCH_RESULT', 'advanced_search_result.php');

define('FILENAME_ALSO_PURCHASED_PRODUCTS', 'also_purchased_products.php'); // This is the bottom of product_info.php (found in modules)

define('FILENAME_CHECKOUT_CONFIRMATION', 'checkout_confirmation.php');

define('FILENAME_CHECKOUT_PAYMENT', 'checkout_payment.php');

define('FILENAME_CHECKOUT_PAYMENT_ADDRESS', 'checkout_payment_address.php');

define('FILENAME_CHECKOUT_PAYPALIPN', 'checkout_paypalipn.php'); // PAYPALIPN

define('FILENAME_CHECKOUT_PROCESS', 'checkout_process.php');

define('FILENAME_CHECKOUT_SHIPPING', 'checkout_shipping.php');

define('FILENAME_CHECKOUT_SHIPPING_ADDRESS', 'checkout_shipping_address.php');

define('FILENAME_CHECKOUT_SUCCESS', 'checkout_success.php');

define('FILENAME_CONTACT_US', 'contact_us.php');

define('FILENAME_CONDITIONS', 'conditions.php');

define('FILENAME_CREATE_ACCOUNT', 'create_account.php');

define('FILENAME_CREATE_ACCOUNT_PROCESS', 'create_account_process.php');

define('FILENAME_CREATE_ACCOUNT_SUCCESS', 'create_account_success.php');

define('FILENAME_DEFAULT', 'default.php');

define('FILENAME_DOWNLOAD', 'download.php');

define('FILENAME_INFO_SHOPPING_CART', 'info_shopping_cart.php');

define('FILENAME_LOGIN', 'login.php');

define('FILENAME_LOGOFF', 'logoff.php');

define('FILENAME_NEW_PRODUCTS', 'new_products.php'); // This is the middle of default.php (found in modules)

define('FILENAME_PASSWORD_FORGOTTEN', 'password_forgotten.php');

define('FILENAME_POPUP_IMAGE', 'popup_image.php');

define('FILENAME_POPUP_SEARCH_HELP', 'popup_search_help.php');

define('FILENAME_POPUP_CVV', 'popup_cvv.php'); //cvv contribution

define('FILENAME_PRIVACY', 'privacy.php');

define('FILENAME_PRODUCT_INFO', 'product_info.php');

define('FILENAME_PRODUCT_LISTING', 'product_listing.php');

define('FILENAME_PRODUCT_NOTIFICATIONS', 'product_notifications.php');

define('FILENAME_PRODUCT_REVIEWS', 'product_reviews.php');

define('FILENAME_PRODUCT_REVIEWS_INFO', 'product_reviews_info.php');

define('FILENAME_PRODUCT_REVIEWS_WRITE', 'product_reviews_write.php');

define('FILENAME_PRODUCTS_NEW', 'products_new.php');

define('FILENAME_REDIRECT', 'redirect.php');

define('FILENAME_REVIEWS', 'reviews.php');

define('FILENAME_SHIPPING', 'shipping.php');

define('FILENAME_SHOPPING_CART', 'shopping_cart.php');

define('FILENAME_SPECIALS', 'specials.php');

define('FILENAME_TELL_A_FRIEND', 'tell_a_friend.php');

define('FILENAME_UPCOMING_PRODUCTS', 'upcoming_products.php'); // This is the bottom of default.php (found in modules)

 

// define the database table names used in the project

define('TABLE_ADDRESS_BOOK', 'address_book');

define('TABLE_ADDRESS_FORMAT', 'address_format');

define('TABLE_BANNERS', 'banners');

define('TABLE_BANNERS_HISTORY', 'banners_history');

define('TABLE_CATEGORIES', 'categories');

define('TABLE_CATEGORIES_DESCRIPTION', 'categories_description');

define('TABLE_CONFIGURATION', 'configuration');

define('TABLE_CONFIGURATION_GROUP', 'configuration_group');

define('TABLE_COUNTER', 'counter');

define('TABLE_COUNTER_HISTORY', 'counter_history');

define('TABLE_COUNTRIES', 'countries');

define('TABLE_CURRENCIES', 'currencies');

define('TABLE_CUSTOMERS', 'customers');

define('TABLE_CUSTOMERS_BASKET', 'customers_basket');

define('TABLE_CUSTOMERS_BASKET_ATTRIBUTES', 'customers_basket_attributes');

define('TABLE_CUSTOMERS_INFO', 'customers_info');

define('TABLE_LANGUAGES', 'languages');

define('TABLE_MANUFACTURERS', 'manufacturers');

define('TABLE_MANUFACTURERS_INFO', 'manufacturers_info');

define('TABLE_ORDERS', 'orders');

define('TABLE_ORDERS_PRODUCTS', 'orders_products');

define('TABLE_ORDERS_PRODUCTS_ATTRIBUTES', 'orders_products_attributes');

define('TABLE_ORDERS_PRODUCTS_DOWNLOAD', 'orders_products_download');

define('TABLE_ORDERS_STATUS', 'orders_status');

define('TABLE_ORDERS_STATUS_HISTORY', 'orders_status_history');

define('TABLE_ORDERS_TOTAL', 'orders_total');

define('TABLE_PAYPALIPN_TXN', 'paypalipn_txn'); // PAYPALIPN

define('TABLE_PRODUCTS', 'products');

define('TABLE_PRODUCTS_ATTRIBUTES', 'products_attributes');

define('TABLE_PRODUCTS_ATTRIBUTES_DOWNLOAD', 'products_attributes_download');

define('TABLE_PRODUCTS_DESCRIPTION', 'products_description');

define('TABLE_PRODUCTS_NOTIFICATIONS', 'products_notifications');

define('TABLE_PRODUCTS_OPTIONS', 'products_options');

define('TABLE_PRODUCTS_OPTIONS_VALUES', 'products_options_values');

define('TABLE_PRODUCTS_OPTIONS_VALUES_TO_PRODUCTS_OPTIONS', 'products_options_values_to_products_options');

define('TABLE_PRODUCTS_TO_CATEGORIES', 'products_to_categories');

define('TABLE_REVIEWS', 'reviews');

define('TABLE_REVIEWS_DESCRIPTION', 'reviews_description');

define('TABLE_SESSIONS', 'sessions');

define('TABLE_SPECIALS', 'specials');

define('TABLE_TAX_CLASS', 'tax_class');

define('TABLE_TAX_RATES', 'tax_rates');

define('TABLE_GEO_ZONES', 'geo_zones');

define('TABLE_ZONES_TO_GEO_ZONES', 'zones_to_geo_zones');

define('TABLE_WHOS_ONLINE', 'whos_online');

define('TABLE_ZONES', 'zones');

 

// Control what fields of the customer table are used

define('ACCOUNT_GENDER', false);

define('ACCOUNT_DOB', false);

define('ACCOUNT_COMPANY', false);

define('ACCOUNT_SUBURB', false);

define('ACCOUNT_STATE', true);

 

// Categories Box: recursive products count

define('SHOW_COUNTS', 'true'); // show category count: true=Yes False=No

define('USE_RECURSIVE_COUNT', 'true'); // recursive count: true=Yes False=No

 

// customization for the design layout

define('BOX_WIDTH', 125); // how wide the boxes should be in pixels (default: 125)

 

// check if sessions are supported, otherwise use the php3 compatible session class

if (!function_exists('session_start')) {

define('PHP_SESSION_NAME', 'sID');

define('PHP_SESSION_SAVE_PATH', '/tmp');

 

include(DIR_WS_CLASSES . 'sessions.php');

}

 

// define how the session functions will be used

require(DIR_WS_FUNCTIONS . 'sessions.php');

tep_session_name('osCsid');

 

// include the database functions

require(DIR_WS_FUNCTIONS . 'database.php');

 

// make a connection to the database... now

tep_db_connect() or die('Unable to connect to database server!');

 

// set the application parameters (can be modified through the administration tool)

$configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION . '');

while ($configuration = tep_db_fetch_array($configuration_query)) {

define($configuration['cfgKey'], $configuration['cfgValue']);

}

 

// if gzip_compression is enabled, start to buffer the output

if ( (GZIP_COMPRESSION == 'true') && ($ext_zlib_loaded = extension_loaded('zlib')) && (PHP_VERSION >= '4') ) {

if (($ini_zlib_output_compression = (int)ini_get('zlib.output_compression')) < 1) {

if (PHP_VERSION >= '4.0.4') {

ob_start('ob_gzhandler');

} else {

include(DIR_WS_FUNCTIONS . 'gzip_compression.php');

ob_start();

ob_implicit_flush();

}

} else {

ini_set('zlib.output_compression_level', GZIP_LEVEL);

}

}

 

// set the HTTP GET parameters manually if search_engine_friendly_urls is enabled

if (SEARCH_ENGINE_FRIENDLY_URLS == 'true') {

if (strlen(getenv('PATH_INFO')) > 1) {

$GET_arrays = array();

$PHP_SELF = str_replace(getenv('PATH_INFO'), '', $HTTP_SERVER_VARS['PHP_SELF']);

$vars = explode('/', substr(getenv('PATH_INFO'), 1));

for ($i=0, $n=sizeof($vars); $i<$n; $i++) {

if (strpos($vars[$i], '[]')) {

$GET_arrays[substr($vars[$i], 0, -2)][] = $vars[$i+1];

} else {

$HTTP_GET_VARS[$vars[$i]] = $vars[$i+1];

}

$i++;

}

 

if (sizeof($GET_arrays) > 0) {

while (list($key, $value) = each($GET_arrays)) {

$HTTP_GET_VARS[$key] = $value;

}

}

}

} else {

$PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

}

 

// include cache functions if enabled

if (USE_CACHE == 'true') include(DIR_WS_FUNCTIONS . 'cache.php');

 

// include shopping cart class

require(DIR_WS_CLASSES . 'shopping_cart.php');

 

// include navigation history class

require(DIR_WS_CLASSES . 'navigation_history.php');

 

// some code to solve compatibility issues

require(DIR_WS_FUNCTIONS . 'compatibility.php');

 

// lets start our session

if (isset($HTTP_POST_VARS[tep_session_name()])) {

tep_session_id($HTTP_POST_VARS[tep_session_name()]);

} elseif ( (getenv('HTTPS') == 'on') && isset($HTTP_GET_VARS[tep_session_name()]) ) {

tep_session_id($HTTP_GET_VARS[tep_session_name()]);

}

 

if (function_exists('session_set_cookie_params')) {

session_set_cookie_params(0, substr(DIR_WS_CATALOG, 0, -1));

}

 

tep_session_start();

 

// Create the cart & Fix the cart if necesary

if (tep_session_is_registered('cart') && is_object($cart)) {

if (PHP_VERSION < 4) {

$broken_cart = $cart;

$cart = new shoppingCart;

$cart->unserialize($broken_cart);

}

} else {

tep_session_register('cart');

$cart = new shoppingCart;

}

 

// include currencies class and create an instance

require(DIR_WS_CLASSES . 'currencies.php');

$currencies = new currencies();

 

// include the mail classes

require(DIR_WS_CLASSES . 'mime.php');

require(DIR_WS_CLASSES . 'email.php');

 

// language

if (!tep_session_is_registered('language') || isset($HTTP_GET_VARS['language'])) {

if (!tep_session_is_registered('language')) {

tep_session_register('language');

tep_session_register('languages_id');

}

 

include(DIR_WS_CLASSES . 'language.php');

$lng = new language($HTTP_GET_VARS['language']);

 

if (!isset($HTTP_GET_VARS['language'])) $lng->get_browser_language();

 

$language = $lng->language['directory'];

$languages_id = $lng->language['id'];

}

 

// include the language translations

require(DIR_WS_LANGUAGES . $language . '.php');

 

if ( $spider_flag == true ){

if ( eregi(tep_session_name(), $_SERVER['REQUEST_URI']) ){

$location = tep_href_link(basename($_SERVER['SCRIPT_NAME']), tep_get_all_get_params(array(tep_session_name())), 'NONSSL', false);

header("HTTP/1.0 301 Moved Permanently");

header("Location: $location"); // redirect...bye bye

}

}

 

// define our general functions used application-wide

require(DIR_WS_FUNCTIONS . 'general.php');

require(DIR_WS_FUNCTIONS . 'html_output.php');

 

// currency

if (!tep_session_is_registered('currency') || isset($HTTP_GET_VARS['currency']) || ( (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') && (LANGUAGE_CURRENCY != $currency) ) ) {

if (!tep_session_is_registered('currency')) tep_session_register('currency');

 

if (isset($HTTP_GET_VARS['currency'])) {

if (!$currency = tep_currency_exists($HTTP_GET_VARS['currency'])) $currency = (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') ? LANGUAGE_CURRENCY : DEFAULT_CURRENCY;

} else {

$currency = (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') ? LANGUAGE_CURRENCY : DEFAULT_CURRENCY;

}

}

 

// navigation history

if (tep_session_is_registered('navigation')) {

if (PHP_VERSION < 4) {

$broken_navigation = $navigation;

$navigation = new navigationHistory;

$navigation->unserialize($broken_navigation);

}

} else {

tep_session_register('navigation');

$navigation = new navigationHistory;

}

$navigation->add_current_page();

 

// Shopping cart actions

if (isset($HTTP_GET_VARS['action'])) {

if (DISPLAY_CART == 'true') {

$goto = FILENAME_SHOPPING_CART;

$parameters = array('action', 'cPath', 'products_id', 'pid');

} else {

$goto = basename($PHP_SELF);

if ($HTTP_GET_VARS['action'] == 'buy_now') {

$parameters = array('action', 'pid', 'products_id');

} else {

$parameters = array('action', 'pid');

}

}

switch ($HTTP_GET_VARS['action']) {

// customer wants to update the product quantity in their shopping cart

case 'update_product' : for ($i=0, $n=sizeof($HTTP_POST_VARS['products_id']); $i<$n; $i++) {

if (in_array($HTTP_POST_VARS['products_id'][$i], (is_array($HTTP_POST_VARS['cart_delete']) ? $HTTP_POST_VARS['cart_delete'] : array()))) {

$cart->remove($HTTP_POST_VARS['products_id'][$i]);

} else {

if (PHP_VERSION < 4) {

// if PHP3, make correction for lack of multidimensional array.

reset($HTTP_POST_VARS);

while (list($key, $value) = each($HTTP_POST_VARS)) {

if (is_array($value)) {

while (list($key2, $value2) = each($value)) {

if (ereg ("(.*)\]\[(.*)", $key2, $var)) {

$id2[$var[1]][$var[2]] = $value2;

}

}

}

}

$attributes = ($id2[$HTTP_POST_VARS['products_id'][$i]]) ? $id2[$HTTP_POST_VARS['products_id'][$i]] : '';

} else {

$attributes = ($HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]]) ? $HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]] : '';

}

$cart->add_cart($HTTP_POST_VARS['products_id'][$i], $HTTP_POST_VARS['cart_quantity'][$i], $attributes, false);

}

}

tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));

break;

// customer adds a product from the products page

case 'add_product' : if (isset($HTTP_POST_VARS['products_id']) && is_numeric($HTTP_POST_VARS['products_id'])) {

$cart->add_cart($HTTP_POST_VARS['products_id'], $cart->get_quantity(tep_get_uprid($HTTP_POST_VARS['products_id'], $HTTP_POST_VARS['id']))+1, $HTTP_POST_VARS['id']);

}

tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));

break;

// performed by the 'buy now' button in product listings and review page

case 'buy_now' : if (isset($HTTP_GET_VARS['products_id'])) {

if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) {

tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id']));

} else {

$cart->add_cart($HTTP_GET_VARS['products_id'], $cart->get_quantity($HTTP_GET_VARS['products_id'])+1);

}

}

tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));

break;

case 'notify' : if (tep_session_is_registered('customer_id')) {

if (isset($HTTP_GET_VARS['products_id'])) {

$notify = $HTTP_GET_VARS['products_id'];

} elseif (isset($HTTP_GET_VARS['notify'])) {

$notify = $HTTP_GET_VARS['notify'];

} elseif (isset($HTTP_POST_VARS['notify'])) {

$notify = $HTTP_POST_VARS['notify'];

} else {

tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify'))));

}

if (!is_array($notify)) $notify = array($notify);

for ($i=0, $n=sizeof($notify); $i<$n; $i++) {

$check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $notify[$i] . "' and customers_id = '" . $customer_id . "'");

$check = tep_db_fetch_array($check_query);

if ($check['count'] < 1) {

tep_db_query("insert into " . TABLE_PRODUCTS_NOTIFICATIONS . " (products_id, customers_id, date_added) values ('" . $notify[$i] . "', '" . $customer_id . "', now())");

}

}

tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify'))));

} else {

$navigation->set_snapshot();

tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));

}

break;

case 'notify_remove' : if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['products_id'])) {

$check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'");

$check = tep_db_fetch_array($check_query);

if ($check['count'] > 0) {

tep_db_query("delete from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'");

}

tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action'))));

} else {

$navigation->set_snapshot();

tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));

}

break;

case 'cust_order' : if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['pid'])) {

if (tep_has_product_attributes($HTTP_GET_VARS['pid'])) {

tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['pid']));

} else {

$cart->add_cart($HTTP_GET_VARS['pid'], $cart->get_quantity($HTTP_GET_VARS['pid'])+1);

}

}

tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));

break;

}

}

 

// include the who's online functions

require(DIR_WS_FUNCTIONS . 'whos_online.php');

tep_update_whos_online();

 

// include the password crypto functions

require(DIR_WS_FUNCTIONS . 'password_funcs.php');

 

// include validation functions (right now only email address)

require(DIR_WS_FUNCTIONS . 'validations.php');

 

// split-page-results

require(DIR_WS_CLASSES . 'split_page_results.php');

 

// infobox

require(DIR_WS_CLASSES . 'boxes.php');

 

// auto activate and expire banners

require(DIR_WS_FUNCTIONS . 'banner.php');

tep_activate_banners();

tep_expire_banners();

 

// auto expire special products

require(DIR_WS_FUNCTIONS . 'specials.php');

tep_expire_specials();

 

// calculate category path

if (isset($HTTP_GET_VARS['cPath'])) {

$cPath = $HTTP_GET_VARS['cPath'];

} elseif (isset($HTTP_GET_VARS['products_id']) && !isset($HTTP_GET_VARS['manufacturers_id'])) {

$cPath = tep_get_product_path($HTTP_GET_VARS['products_id']);

} else {

$cPath = '';

}

 

if (tep_not_null($cPath)) {

$cPath_array = tep_parse_category_path($cPath);

$cPath = implode('_', $cPath_array);

$current_category_id = $cPath_array[(sizeof($cPath_array)-1)];

} else {

$current_category_id = 0;

}

 

// include the breadcrumb class and start the breadcrumb trail

require(DIR_WS_CLASSES . 'breadcrumb.php');

$breadcrumb = new breadcrumb;

 

$breadcrumb->add(HEADER_TITLE_TOP, HTTP_SERVER);

$breadcrumb->add(HEADER_TITLE_CATALOG, tep_href_link(FILENAME_DEFAULT));

 

// add category names or the manufacturer name to the breadcrumb trail

if (isset($cPath_array)) {

for ($i=0, $n=sizeof($cPath_array); $i<$n; $i++) {

$categories_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where categories_id = '" . $cPath_array[$i] . "' and language_id='" . $languages_id . "'");

if (tep_db_num_rows($categories_query) > 0) {

$categories = tep_db_fetch_array($categories_query);

$breadcrumb->add($categories['categories_name'], tep_href_link(FILENAME_DEFAULT, 'cPath=' . implode('_', array_slice($cPath_array, 0, ($i+1)))));

} else {

break;

}

}

} elseif (isset($HTTP_GET_VARS['manufacturers_id'])) {

$manufacturers_query = tep_db_query("select manufacturers_name from " . TABLE_MANUFACTURERS . " where manufacturers_id = '" . $HTTP_GET_VARS['manufacturers_id'] . "'");

$manufacturers = tep_db_fetch_array($manufacturers_query);

$breadcrumb->add($manufacturers['manufacturers_name'], tep_href_link(FILENAME_DEFAULT, 'manufacturers_id=' . $HTTP_GET_VARS['manufacturers_id']));

}

 

// add the products model to the breadcrumb trail

if (isset($HTTP_GET_VARS['products_id'])) {

$model_query = tep_db_query("select products_model from " . TABLE_PRODUCTS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "'");

$model = tep_db_fetch_array($model_query);

$breadcrumb->add($model['products_model'], tep_href_link(FILENAME_PRODUCT_INFO, 'cPath=' . $cPath . '&products_id=' . $HTTP_GET_VARS['products_id']));

}

 

// set which precautions should be checked

define('WARN_INSTALL_EXISTENCE', 'true');

define('WARN_CONFIG_WRITEABLE', 'true');

define('WARN_SESSION_DIRECTORY_NOT_WRITEABLE', 'true');

define('WARN_SESSION_AUTO_START', 'true');

define('WARN_DOWNLOAD_DIRECTORY_NOT_READABLE', 'true');

?>

Posted

old version indeed.

insert at the bottom:

	$http_user_agent = getenv('HTTP_USER_AGENT');

if (!tep_session_is_registered('SESSION_USER_AGENT')) {

  $SESSION_USER_AGENT = $http_user_agent;

  tep_session_register('SESSION_USER_AGENT');

}



if ($SESSION_USER_AGENT != $http_user_agent) {

  tep_session_destroy();

$newpagetoredirectto = $_SERVER['REQUEST_URI'];
$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);
	header("HTTP/1.1 301 Moved Permanently");
	header("location: $newpagetoredirectto");
exit();

}
if (isset($_GET[tep_session_name()])) {
if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) {
unset($_GET[tep_session_name()]);
}
$newpagetoredirectto = $_SERVER['REQUEST_URI'];
$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);
	header("HTTP/1.1 301 Moved Permanently");
	header("location: $newpagetoredirectto");
exit();

}

Posted

I added that to the bottom and now when I add an item to the cart, I get this message:

 

Your Shopping Cart is empty!

 

 

 

 

 

// set which precautions should be checked

define('WARN_INSTALL_EXISTENCE', 'true');

define('WARN_CONFIG_WRITEABLE', 'true');

define('WARN_SESSION_DIRECTORY_NOT_WRITEABLE', 'true');

define('WARN_SESSION_AUTO_START', 'true');

define('WARN_DOWNLOAD_DIRECTORY_NOT_READABLE', 'true');

 

$http_user_agent = getenv('HTTP_USER_AGENT');

 

if (!tep_session_is_registered('SESSION_USER_AGENT')) {

 

$SESSION_USER_AGENT = $http_user_agent;

 

tep_session_register('SESSION_USER_AGENT');

 

}

 

 

 

if ($SESSION_USER_AGENT != $http_user_agent) {

 

tep_session_destroy();

 

$newpagetoredirectto = $_SERVER['REQUEST_URI'];

$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);

header("HTTP/1.1 301 Moved Permanently");

header("location: $newpagetoredirectto");

exit();

 

}

if (isset($_GET[tep_session_name()])) {

if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) {

unset($_GET[tep_session_name()]);

}

$newpagetoredirectto = $_SERVER['REQUEST_URI'];

$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);

header("HTTP/1.1 301 Moved Permanently");

header("location: $newpagetoredirectto");

exit();

 

}

 

$http_user_agent = getenv('HTTP_USER_AGENT');

 

if (!tep_session_is_registered('SESSION_USER_AGENT')) {

 

$SESSION_USER_AGENT = $http_user_agent;

 

tep_session_register('SESSION_USER_AGENT');

 

}

 

 

 

if ($SESSION_USER_AGENT != $http_user_agent) {

 

tep_session_destroy();

 

$newpagetoredirectto = $_SERVER['REQUEST_URI'];

$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);

header("HTTP/1.1 301 Moved Permanently");

header("location: $newpagetoredirectto");

exit();

 

}

if (isset($_GET[tep_session_name()])) {

if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) {

unset($_GET[tep_session_name()]);

}

$newpagetoredirectto = $_SERVER['REQUEST_URI'];

$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);

header("HTTP/1.1 301 Moved Permanently");

header("location: $newpagetoredirectto");

exit();

 

}

?>

Posted

first of all, you aplied the patch twice (remove one instance) but this would not be the problem I guess, since on failure the second would not be executed du to the exit() command.

 

for this version of the fix you need to store your sessions to file (not mysql for this post, mysql fix posted first).

can you replace the sessions.php file with the latest version?

perhaps the problem now originates there.

 

you could also try to skip the user agent check and remove that part of the fix (more chanche on wrong customer signing in):

 $http_user_agent = getenv('HTTP_USER_AGENT');

if (!tep_session_is_registered('SESSION_USER_AGENT')) {

$SESSION_USER_AGENT = $http_user_agent;

tep_session_register('SESSION_USER_AGENT');

}



if ($SESSION_USER_AGENT != $http_user_agent) {

tep_session_destroy();

$newpagetoredirectto = $_SERVER['REQUEST_URI'];
$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);
header("HTTP/1.1 301 Moved Permanently");
header("location: $newpagetoredirectto");
exit();

}

i.e. you will just keep this part:

if (isset($_GET[tep_session_name()])) {
if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) {
unset($_GET[tep_session_name()]);
}
$newpagetoredirectto = $_SERVER['REQUEST_URI'];
$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);
header("HTTP/1.1 301 Moved Permanently");
header("location: $newpagetoredirectto");
exit();

}

Posted

I fixed this and then uploaded new sessions.php to /functions/ and /classes/ and I still get:

Your Shopping Cart is empty!

 

I even tried using the old application_top.php with the new sessions.php and still get

Your Shopping Cart is empty!

Posted

then try setting up a copy of your store, see to it that gets updated to the latest version that is now available, and then aply the patch to that one.

If database mutations are required, do run on a copy of your live database then, so you will not screw up the live site.

 

if it works, then replace the live site.

i.e. install the new version in /cart2/ then when all works, rename /cart/ to /cart3/ and rename /cart2/ to /cart/ and edit your config files to match the altered locations.

 

edit: this higly recomended for security reasons too

Posted

if you are really lazy and don't want your site to be secure,

you could also try to not update and try storing the session in the mysql database.

that fix might be less version specific.

then you just add this code to the bottom of aplication_top.php

if(isset($HTTP_GET_VARS['osCsid'])) {
$sessionisnotactive = $HTTP_GET_VARS['osCsid'];
  $value_query = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($sessionisnotactive) . "' and expiry > '" . time() . "'");
  $value = tep_db_fetch_array($value_query);

  if (!isset($value['value'])) {
  tep_session_destroy();

$newpagetoredirectto = $_SERVER['REQUEST_URI'];
$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);
	header("HTTP/1.1 301 Moved Permanently");
	header("location: $newpagetoredirectto");
exit();
}
}

still I urge you to do some upgrading, even when this works you still are in danger of some vulnerablilities discoverd in the past few years.

Posted

oeps, the page redirection for the file based session was a litle incorrect...

corrected here:

if (isset($_GET[tep_session_name()])) {
if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) {
unset($_GET[tep_session_name()]);

$newpagetoredirectto = $_SERVER['REQUEST_URI'];
$newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto);
	header("HTTP/1.1 301 Moved Permanently");
	header("location: $newpagetoredirectto");
exit();
}
}

Posted

I am not lazy, I have tried using the upgrade script before, but there were errors and I couldn't get it to work properly. This problem only happens every once in a while, but I realize I need to fix it. If I do a fresh install, I need to figure how to import my current customer, product and order information. I also want the cvv2 information in the credit card process. It's not that I am lazy, it's that it is complicated to upgrade since I've made a lot of modications to the old files. The only problem I have right now is with the sessions and I'd hate to have a lot of downtime smack dab in the middle of the holiday season. I wish there was a solution with the current version of Oscommerce I am using.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...