jdvb Posted December 6, 2006 Posted December 6, 2006 Customers copy paste a url into an e-mail, with an osCid in it, send that e-mail to multiple recipients, and becouse their IP does not match that of the poster they are redirected to the login page. I could set check IP to false, but then they would get the same session. Somehow this problem only arose since the last update, and I now see many visitors with the login.php page as their first page on my site. For those osCid links posted on other websites and customers who do allow me to see the referrer I could set up an .htaccess rewrite rule to strip the osCid part from the url when the referrer is not empty or equel to my own site, but that is only a partial solution to the problem. I could also try and set the check ip function differently to simply create a new session for those visitors that have a different ip than set in the session variables. But then customers with changing IP's get screwed, and will not be able to place an order. Better might be to then only check IP when it a cookie has not been set, and to store the IP the session was placed from in the cookie, and to verify that instead. Hase anyone else got any other idees? Perhaps some more simple to implement than my second idee?
boxtel Posted December 6, 2006 Posted December 6, 2006 Customers copy paste a url into an e-mail, with an osCid in it,send that e-mail to multiple recipients, and becouse their IP does not match that of the poster they are redirected to the login page. I could set check IP to false, but then they would get the same session. Somehow this problem only arose since the last update, and I now see many visitors with the login.php page as their first page on my site. For those osCid links posted on other websites and customers who do allow me to see the referrer I could set up an .htaccess rewrite rule to strip the osCid part from the url when the referrer is not empty or equel to my own site, but that is only a partial solution to the problem. I could also try and set the check ip function differently to simply create a new session for those visitors that have a different ip than set in the session variables. But then customers with changing IP's get screwed, and will not be able to place an order. Better might be to then only check IP when it a cookie has not been set, and to store the IP the session was placed from in the cookie, and to verify that instead. Hase anyone else got any other idees? Perhaps some more simple to implement than my second idee? ip checking is a bad idea as ip's can change on every request (aol), then better use user-agent checking as that changes rarely per user per session. If people email session id's and people en mass start to use it, and have the same user-agent, there is no prevention for that. The only prevention I use is to check if the requested session (if in the url) is still active and if not, disregard that session id. That way everyone who comes in with the same session id will get a new one. In other words, no session id can be used unless explicitely issued by my system. (Default osc simply activate any session id you request and as such will activate any indexed session id for everyone who requests it) Still, that only functions if the session is no longer active and as such better suited for indexed links as the chance that the session is still active when it has reached the index is virtually nil. It will ofcourse also catch emailed session id's if they happen to use it after the session has expired. Treasurer MFC
jdvb Posted December 6, 2006 Author Posted December 6, 2006 thank you. for all that would like this solution: in aplication_top.php replace if ($SESSION_IP_ADDRESS != $ip_address) { tep_session_destroy(); tep_redirect(tep_href_link(FILENAME_LOGIN)); } with if(isset($HTTP_GET_VARS['osCsid'])) { $sessionisnotactive = $HTTP_GET_VARS['osCsid']; $value_query = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($sessionisnotactive) . "' and expiry > '" . time() . "'"); $value = tep_db_fetch_array($value_query); if (!isset($value['value'])) { tep_session_destroy(); $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\?osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("location: $newpagetoredirectto"); } } and set check session ip to true (it will not check ip, but wether or not the session is active, since that function has just been replaced). edit: typo
boxtel Posted December 6, 2006 Posted December 6, 2006 thank you.for all that would like this solution: in aplication_top.php replace if ($SESSION_IP_ADDRESS != $ip_address) { tep_session_destroy(); tep_redirect(tep_href_link(FILENAME_LOGIN)); } with if(isset($HTTP_GET_VARS['osCsid'])) { $sessionisnotactive = $HTTP_GET_VARS['osCsid']; $value_query = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($sessionisnotactive) . "' and expiry > '" . time() . "'"); $value = tep_db_fetch_array($value_query); if (!isset($value['value'])) { tep_session_destroy(); $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\?osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("location: $newpagetoredirectto"); } } and set check session ip to true (it will not check ip, but wether or not the session is active, since that function has just been replaced). edit: typo yes, for mysql stored sessions. I use files so I have this code: if (isset($_GET[tep_session_name()])) { if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) { unset($_GET[tep_session_name()]); session_regenerate_id(); } } Treasurer MFC
jdvb Posted December 6, 2006 Author Posted December 6, 2006 I edited my own code to include a moved permanent header: header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); now any spidered session_id's will be removed from any search engine's after a revisit. also aplied the spiders session fix from Boxtel (contribution).
micetrap Posted December 6, 2006 Posted December 6, 2006 I believe I have an older build that doesn't have that code. In my application_top.php, I have: define('TABLE_SESSIONS', 'sessions'); // check if sessions are supported, otherwise use the php3 compatible session class if (!function_exists('session_start')) { define('PHP_SESSION_NAME', 'sID'); define('PHP_SESSION_SAVE_PATH', '/tmp'); include(DIR_WS_CLASSES . 'sessions.php'); } // define how the session functions will be used require(DIR_WS_FUNCTIONS . 'sessions.php'); tep_session_name('osCsid');
jdvb Posted December 6, 2006 Author Posted December 6, 2006 the code from both the mysql fix and the file fix can be placed after the if (!function_exists('session_start')) { ..... ... } part. I do recomend using the redirect for the 301 permanent redirect (search engines will strip the osCsid part from their search results. if(isset($HTTP_GET_VARS['osCsid'])) { $sessionisnotactive = $HTTP_GET_VARS['osCsid']; $value_query = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($sessionisnotactive) . "' and expiry > '" . time() . "'"); $value = tep_db_fetch_array($value_query); if (!isset($value['value'])) { tep_session_destroy(); $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); } } and for files: if (isset($_GET[tep_session_name()])) { if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) { unset($_GET[tep_session_name()]); } $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); } also the check user agent feature that is by default in the aplication top I would change: if ($SESSION_USER_AGENT != $http_user_agent) { tep_session_destroy(); tep_redirect(tep_href_link(FILENAME_LOGIN)); } change to: if ($SESSION_USER_AGENT != $http_user_agent) { tep_session_destroy(); $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); } this way the customer does get to see the page he wants to, the search engine results get striped of the osCsid part, and the customer gets a new session. edit: typo
micetrap Posted December 6, 2006 Posted December 6, 2006 My code doesn't have that either. Here is my entire application_top.php file: <?php /* $Id: application_top.php,v 1.264 2003/02/17 16:37:52 hpdl Exp $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright © 2003 osCommerce Released under the GNU General Public License */ // start the timer for the page parse time log define('PAGE_PARSE_START_TIME', microtime()); // set the level of error reporting error_reporting(E_ALL & ~E_NOTICE); // check if register_globals is enabled. // since this is a temporary measure this message is hardcoded. The requirement will be removed before 2.2 is finalized. if (function_exists('ini_get')) { ini_get('register_globals') or exit('FATAL ERROR: register_globals is disabled in php.ini, please enable it!'); } // disable use_trans_sid as tep_href_link() does this manually if (function_exists('ini_set')) @ini_set('session.use_trans_sid', 0); // Set the local configuration parameters - mainly for developers if (file_exists('includes/local/configure.php')) include('includes/local/configure.php'); // include server parameters require('includes/configure.php'); // CATALOG_PRODUCTS_WITH_IMAGES_mod # START Printable Catalog V 2.3 define('FILENAME_CATALOG_PRODUCTS_WITH_IMAGES', 'catalog_products_with_images.php'); # END Printable Catalog V 2.3 // define the project version define('PROJECT_VERSION', 'osCommerce 2.2-MS1'); // set the type of request (secure or not) $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; // define the filenames used in the project define('FILENAME_ACCOUNT', 'account.php'); define('FILENAME_ACCOUNT_EDIT', 'account_edit.php'); define('FILENAME_ACCOUNT_EDIT_PROCESS', 'account_edit_process.php'); define('FILENAME_ACCOUNT_HISTORY', 'account_history.php'); define('FILENAME_ACCOUNT_HISTORY_INFO', 'account_history_info.php'); define('FILENAME_ADDRESS_BOOK', 'address_book.php'); define('FILENAME_ADDRESS_BOOK_PROCESS', 'address_book_process.php'); define('FILENAME_ADVANCED_SEARCH', 'advanced_search.php'); define('FILENAME_ADVANCED_SEARCH_RESULT', 'advanced_search_result.php'); define('FILENAME_ALSO_PURCHASED_PRODUCTS', 'also_purchased_products.php'); // This is the bottom of product_info.php (found in modules) define('FILENAME_CHECKOUT_CONFIRMATION', 'checkout_confirmation.php'); define('FILENAME_CHECKOUT_PAYMENT', 'checkout_payment.php'); define('FILENAME_CHECKOUT_PAYMENT_ADDRESS', 'checkout_payment_address.php'); define('FILENAME_CHECKOUT_PAYPALIPN', 'checkout_paypalipn.php'); // PAYPALIPN define('FILENAME_CHECKOUT_PROCESS', 'checkout_process.php'); define('FILENAME_CHECKOUT_SHIPPING', 'checkout_shipping.php'); define('FILENAME_CHECKOUT_SHIPPING_ADDRESS', 'checkout_shipping_address.php'); define('FILENAME_CHECKOUT_SUCCESS', 'checkout_success.php'); define('FILENAME_CONTACT_US', 'contact_us.php'); define('FILENAME_CONDITIONS', 'conditions.php'); define('FILENAME_CREATE_ACCOUNT', 'create_account.php'); define('FILENAME_CREATE_ACCOUNT_PROCESS', 'create_account_process.php'); define('FILENAME_CREATE_ACCOUNT_SUCCESS', 'create_account_success.php'); define('FILENAME_DEFAULT', 'default.php'); define('FILENAME_DOWNLOAD', 'download.php'); define('FILENAME_INFO_SHOPPING_CART', 'info_shopping_cart.php'); define('FILENAME_LOGIN', 'login.php'); define('FILENAME_LOGOFF', 'logoff.php'); define('FILENAME_NEW_PRODUCTS', 'new_products.php'); // This is the middle of default.php (found in modules) define('FILENAME_PASSWORD_FORGOTTEN', 'password_forgotten.php'); define('FILENAME_POPUP_IMAGE', 'popup_image.php'); define('FILENAME_POPUP_SEARCH_HELP', 'popup_search_help.php'); define('FILENAME_POPUP_CVV', 'popup_cvv.php'); //cvv contribution define('FILENAME_PRIVACY', 'privacy.php'); define('FILENAME_PRODUCT_INFO', 'product_info.php'); define('FILENAME_PRODUCT_LISTING', 'product_listing.php'); define('FILENAME_PRODUCT_NOTIFICATIONS', 'product_notifications.php'); define('FILENAME_PRODUCT_REVIEWS', 'product_reviews.php'); define('FILENAME_PRODUCT_REVIEWS_INFO', 'product_reviews_info.php'); define('FILENAME_PRODUCT_REVIEWS_WRITE', 'product_reviews_write.php'); define('FILENAME_PRODUCTS_NEW', 'products_new.php'); define('FILENAME_REDIRECT', 'redirect.php'); define('FILENAME_REVIEWS', 'reviews.php'); define('FILENAME_SHIPPING', 'shipping.php'); define('FILENAME_SHOPPING_CART', 'shopping_cart.php'); define('FILENAME_SPECIALS', 'specials.php'); define('FILENAME_TELL_A_FRIEND', 'tell_a_friend.php'); define('FILENAME_UPCOMING_PRODUCTS', 'upcoming_products.php'); // This is the bottom of default.php (found in modules) // define the database table names used in the project define('TABLE_ADDRESS_BOOK', 'address_book'); define('TABLE_ADDRESS_FORMAT', 'address_format'); define('TABLE_BANNERS', 'banners'); define('TABLE_BANNERS_HISTORY', 'banners_history'); define('TABLE_CATEGORIES', 'categories'); define('TABLE_CATEGORIES_DESCRIPTION', 'categories_description'); define('TABLE_CONFIGURATION', 'configuration'); define('TABLE_CONFIGURATION_GROUP', 'configuration_group'); define('TABLE_COUNTER', 'counter'); define('TABLE_COUNTER_HISTORY', 'counter_history'); define('TABLE_COUNTRIES', 'countries'); define('TABLE_CURRENCIES', 'currencies'); define('TABLE_CUSTOMERS', 'customers'); define('TABLE_CUSTOMERS_BASKET', 'customers_basket'); define('TABLE_CUSTOMERS_BASKET_ATTRIBUTES', 'customers_basket_attributes'); define('TABLE_CUSTOMERS_INFO', 'customers_info'); define('TABLE_LANGUAGES', 'languages'); define('TABLE_MANUFACTURERS', 'manufacturers'); define('TABLE_MANUFACTURERS_INFO', 'manufacturers_info'); define('TABLE_ORDERS', 'orders'); define('TABLE_ORDERS_PRODUCTS', 'orders_products'); define('TABLE_ORDERS_PRODUCTS_ATTRIBUTES', 'orders_products_attributes'); define('TABLE_ORDERS_PRODUCTS_DOWNLOAD', 'orders_products_download'); define('TABLE_ORDERS_STATUS', 'orders_status'); define('TABLE_ORDERS_STATUS_HISTORY', 'orders_status_history'); define('TABLE_ORDERS_TOTAL', 'orders_total'); define('TABLE_PAYPALIPN_TXN', 'paypalipn_txn'); // PAYPALIPN define('TABLE_PRODUCTS', 'products'); define('TABLE_PRODUCTS_ATTRIBUTES', 'products_attributes'); define('TABLE_PRODUCTS_ATTRIBUTES_DOWNLOAD', 'products_attributes_download'); define('TABLE_PRODUCTS_DESCRIPTION', 'products_description'); define('TABLE_PRODUCTS_NOTIFICATIONS', 'products_notifications'); define('TABLE_PRODUCTS_OPTIONS', 'products_options'); define('TABLE_PRODUCTS_OPTIONS_VALUES', 'products_options_values'); define('TABLE_PRODUCTS_OPTIONS_VALUES_TO_PRODUCTS_OPTIONS', 'products_options_values_to_products_options'); define('TABLE_PRODUCTS_TO_CATEGORIES', 'products_to_categories'); define('TABLE_REVIEWS', 'reviews'); define('TABLE_REVIEWS_DESCRIPTION', 'reviews_description'); define('TABLE_SESSIONS', 'sessions'); define('TABLE_SPECIALS', 'specials'); define('TABLE_TAX_CLASS', 'tax_class'); define('TABLE_TAX_RATES', 'tax_rates'); define('TABLE_GEO_ZONES', 'geo_zones'); define('TABLE_ZONES_TO_GEO_ZONES', 'zones_to_geo_zones'); define('TABLE_WHOS_ONLINE', 'whos_online'); define('TABLE_ZONES', 'zones'); // Control what fields of the customer table are used define('ACCOUNT_GENDER', false); define('ACCOUNT_DOB', false); define('ACCOUNT_COMPANY', false); define('ACCOUNT_SUBURB', false); define('ACCOUNT_STATE', true); // Categories Box: recursive products count define('SHOW_COUNTS', 'true'); // show category count: true=Yes False=No define('USE_RECURSIVE_COUNT', 'true'); // recursive count: true=Yes False=No // customization for the design layout define('BOX_WIDTH', 125); // how wide the boxes should be in pixels (default: 125) // check if sessions are supported, otherwise use the php3 compatible session class if (!function_exists('session_start')) { define('PHP_SESSION_NAME', 'sID'); define('PHP_SESSION_SAVE_PATH', '/tmp'); include(DIR_WS_CLASSES . 'sessions.php'); } // define how the session functions will be used require(DIR_WS_FUNCTIONS . 'sessions.php'); tep_session_name('osCsid'); // include the database functions require(DIR_WS_FUNCTIONS . 'database.php'); // make a connection to the database... now tep_db_connect() or die('Unable to connect to database server!'); // set the application parameters (can be modified through the administration tool) $configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION . ''); while ($configuration = tep_db_fetch_array($configuration_query)) { define($configuration['cfgKey'], $configuration['cfgValue']); } // if gzip_compression is enabled, start to buffer the output if ( (GZIP_COMPRESSION == 'true') && ($ext_zlib_loaded = extension_loaded('zlib')) && (PHP_VERSION >= '4') ) { if (($ini_zlib_output_compression = (int)ini_get('zlib.output_compression')) < 1) { if (PHP_VERSION >= '4.0.4') { ob_start('ob_gzhandler'); } else { include(DIR_WS_FUNCTIONS . 'gzip_compression.php'); ob_start(); ob_implicit_flush(); } } else { ini_set('zlib.output_compression_level', GZIP_LEVEL); } } // set the HTTP GET parameters manually if search_engine_friendly_urls is enabled if (SEARCH_ENGINE_FRIENDLY_URLS == 'true') { if (strlen(getenv('PATH_INFO')) > 1) { $GET_arrays = array(); $PHP_SELF = str_replace(getenv('PATH_INFO'), '', $HTTP_SERVER_VARS['PHP_SELF']); $vars = explode('/', substr(getenv('PATH_INFO'), 1)); for ($i=0, $n=sizeof($vars); $i<$n; $i++) { if (strpos($vars[$i], '[]')) { $GET_arrays[substr($vars[$i], 0, -2)][] = $vars[$i+1]; } else { $HTTP_GET_VARS[$vars[$i]] = $vars[$i+1]; } $i++; } if (sizeof($GET_arrays) > 0) { while (list($key, $value) = each($GET_arrays)) { $HTTP_GET_VARS[$key] = $value; } } } } else { $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; } // include cache functions if enabled if (USE_CACHE == 'true') include(DIR_WS_FUNCTIONS . 'cache.php'); // include shopping cart class require(DIR_WS_CLASSES . 'shopping_cart.php'); // include navigation history class require(DIR_WS_CLASSES . 'navigation_history.php'); // some code to solve compatibility issues require(DIR_WS_FUNCTIONS . 'compatibility.php'); // lets start our session if (isset($HTTP_POST_VARS[tep_session_name()])) { tep_session_id($HTTP_POST_VARS[tep_session_name()]); } elseif ( (getenv('HTTPS') == 'on') && isset($HTTP_GET_VARS[tep_session_name()]) ) { tep_session_id($HTTP_GET_VARS[tep_session_name()]); } if (function_exists('session_set_cookie_params')) { session_set_cookie_params(0, substr(DIR_WS_CATALOG, 0, -1)); } tep_session_start(); // Create the cart & Fix the cart if necesary if (tep_session_is_registered('cart') && is_object($cart)) { if (PHP_VERSION < 4) { $broken_cart = $cart; $cart = new shoppingCart; $cart->unserialize($broken_cart); } } else { tep_session_register('cart'); $cart = new shoppingCart; } // include currencies class and create an instance require(DIR_WS_CLASSES . 'currencies.php'); $currencies = new currencies(); // include the mail classes require(DIR_WS_CLASSES . 'mime.php'); require(DIR_WS_CLASSES . 'email.php'); // language if (!tep_session_is_registered('language') || isset($HTTP_GET_VARS['language'])) { if (!tep_session_is_registered('language')) { tep_session_register('language'); tep_session_register('languages_id'); } include(DIR_WS_CLASSES . 'language.php'); $lng = new language($HTTP_GET_VARS['language']); if (!isset($HTTP_GET_VARS['language'])) $lng->get_browser_language(); $language = $lng->language['directory']; $languages_id = $lng->language['id']; } // include the language translations require(DIR_WS_LANGUAGES . $language . '.php'); if ( $spider_flag == true ){ if ( eregi(tep_session_name(), $_SERVER['REQUEST_URI']) ){ $location = tep_href_link(basename($_SERVER['SCRIPT_NAME']), tep_get_all_get_params(array(tep_session_name())), 'NONSSL', false); header("HTTP/1.0 301 Moved Permanently"); header("Location: $location"); // redirect...bye bye } } // define our general functions used application-wide require(DIR_WS_FUNCTIONS . 'general.php'); require(DIR_WS_FUNCTIONS . 'html_output.php'); // currency if (!tep_session_is_registered('currency') || isset($HTTP_GET_VARS['currency']) || ( (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') && (LANGUAGE_CURRENCY != $currency) ) ) { if (!tep_session_is_registered('currency')) tep_session_register('currency'); if (isset($HTTP_GET_VARS['currency'])) { if (!$currency = tep_currency_exists($HTTP_GET_VARS['currency'])) $currency = (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') ? LANGUAGE_CURRENCY : DEFAULT_CURRENCY; } else { $currency = (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') ? LANGUAGE_CURRENCY : DEFAULT_CURRENCY; } } // navigation history if (tep_session_is_registered('navigation')) { if (PHP_VERSION < 4) { $broken_navigation = $navigation; $navigation = new navigationHistory; $navigation->unserialize($broken_navigation); } } else { tep_session_register('navigation'); $navigation = new navigationHistory; } $navigation->add_current_page(); // Shopping cart actions if (isset($HTTP_GET_VARS['action'])) { if (DISPLAY_CART == 'true') { $goto = FILENAME_SHOPPING_CART; $parameters = array('action', 'cPath', 'products_id', 'pid'); } else { $goto = basename($PHP_SELF); if ($HTTP_GET_VARS['action'] == 'buy_now') { $parameters = array('action', 'pid', 'products_id'); } else { $parameters = array('action', 'pid'); } } switch ($HTTP_GET_VARS['action']) { // customer wants to update the product quantity in their shopping cart case 'update_product' : for ($i=0, $n=sizeof($HTTP_POST_VARS['products_id']); $i<$n; $i++) { if (in_array($HTTP_POST_VARS['products_id'][$i], (is_array($HTTP_POST_VARS['cart_delete']) ? $HTTP_POST_VARS['cart_delete'] : array()))) { $cart->remove($HTTP_POST_VARS['products_id'][$i]); } else { if (PHP_VERSION < 4) { // if PHP3, make correction for lack of multidimensional array. reset($HTTP_POST_VARS); while (list($key, $value) = each($HTTP_POST_VARS)) { if (is_array($value)) { while (list($key2, $value2) = each($value)) { if (ereg ("(.*)\]\[(.*)", $key2, $var)) { $id2[$var[1]][$var[2]] = $value2; } } } } $attributes = ($id2[$HTTP_POST_VARS['products_id'][$i]]) ? $id2[$HTTP_POST_VARS['products_id'][$i]] : ''; } else { $attributes = ($HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]]) ? $HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]] : ''; } $cart->add_cart($HTTP_POST_VARS['products_id'][$i], $HTTP_POST_VARS['cart_quantity'][$i], $attributes, false); } } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break; // customer adds a product from the products page case 'add_product' : if (isset($HTTP_POST_VARS['products_id']) && is_numeric($HTTP_POST_VARS['products_id'])) { $cart->add_cart($HTTP_POST_VARS['products_id'], $cart->get_quantity(tep_get_uprid($HTTP_POST_VARS['products_id'], $HTTP_POST_VARS['id']))+1, $HTTP_POST_VARS['id']); } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break; // performed by the 'buy now' button in product listings and review page case 'buy_now' : if (isset($HTTP_GET_VARS['products_id'])) { if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) { tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'])); } else { $cart->add_cart($HTTP_GET_VARS['products_id'], $cart->get_quantity($HTTP_GET_VARS['products_id'])+1); } } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break; case 'notify' : if (tep_session_is_registered('customer_id')) { if (isset($HTTP_GET_VARS['products_id'])) { $notify = $HTTP_GET_VARS['products_id']; } elseif (isset($HTTP_GET_VARS['notify'])) { $notify = $HTTP_GET_VARS['notify']; } elseif (isset($HTTP_POST_VARS['notify'])) { $notify = $HTTP_POST_VARS['notify']; } else { tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify')))); } if (!is_array($notify)) $notify = array($notify); for ($i=0, $n=sizeof($notify); $i<$n; $i++) { $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $notify[$i] . "' and customers_id = '" . $customer_id . "'"); $check = tep_db_fetch_array($check_query); if ($check['count'] < 1) { tep_db_query("insert into " . TABLE_PRODUCTS_NOTIFICATIONS . " (products_id, customers_id, date_added) values ('" . $notify[$i] . "', '" . $customer_id . "', now())"); } } tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify')))); } else { $navigation->set_snapshot(); tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); } break; case 'notify_remove' : if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['products_id'])) { $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'"); $check = tep_db_fetch_array($check_query); if ($check['count'] > 0) { tep_db_query("delete from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'"); } tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action')))); } else { $navigation->set_snapshot(); tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); } break; case 'cust_order' : if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['pid'])) { if (tep_has_product_attributes($HTTP_GET_VARS['pid'])) { tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['pid'])); } else { $cart->add_cart($HTTP_GET_VARS['pid'], $cart->get_quantity($HTTP_GET_VARS['pid'])+1); } } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break; } } // include the who's online functions require(DIR_WS_FUNCTIONS . 'whos_online.php'); tep_update_whos_online(); // include the password crypto functions require(DIR_WS_FUNCTIONS . 'password_funcs.php'); // include validation functions (right now only email address) require(DIR_WS_FUNCTIONS . 'validations.php'); // split-page-results require(DIR_WS_CLASSES . 'split_page_results.php'); // infobox require(DIR_WS_CLASSES . 'boxes.php'); // auto activate and expire banners require(DIR_WS_FUNCTIONS . 'banner.php'); tep_activate_banners(); tep_expire_banners(); // auto expire special products require(DIR_WS_FUNCTIONS . 'specials.php'); tep_expire_specials(); // calculate category path if (isset($HTTP_GET_VARS['cPath'])) { $cPath = $HTTP_GET_VARS['cPath']; } elseif (isset($HTTP_GET_VARS['products_id']) && !isset($HTTP_GET_VARS['manufacturers_id'])) { $cPath = tep_get_product_path($HTTP_GET_VARS['products_id']); } else { $cPath = ''; } if (tep_not_null($cPath)) { $cPath_array = tep_parse_category_path($cPath); $cPath = implode('_', $cPath_array); $current_category_id = $cPath_array[(sizeof($cPath_array)-1)]; } else { $current_category_id = 0; } // include the breadcrumb class and start the breadcrumb trail require(DIR_WS_CLASSES . 'breadcrumb.php'); $breadcrumb = new breadcrumb; $breadcrumb->add(HEADER_TITLE_TOP, HTTP_SERVER); $breadcrumb->add(HEADER_TITLE_CATALOG, tep_href_link(FILENAME_DEFAULT)); // add category names or the manufacturer name to the breadcrumb trail if (isset($cPath_array)) { for ($i=0, $n=sizeof($cPath_array); $i<$n; $i++) { $categories_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where categories_id = '" . $cPath_array[$i] . "' and language_id='" . $languages_id . "'"); if (tep_db_num_rows($categories_query) > 0) { $categories = tep_db_fetch_array($categories_query); $breadcrumb->add($categories['categories_name'], tep_href_link(FILENAME_DEFAULT, 'cPath=' . implode('_', array_slice($cPath_array, 0, ($i+1))))); } else { break; } } } elseif (isset($HTTP_GET_VARS['manufacturers_id'])) { $manufacturers_query = tep_db_query("select manufacturers_name from " . TABLE_MANUFACTURERS . " where manufacturers_id = '" . $HTTP_GET_VARS['manufacturers_id'] . "'"); $manufacturers = tep_db_fetch_array($manufacturers_query); $breadcrumb->add($manufacturers['manufacturers_name'], tep_href_link(FILENAME_DEFAULT, 'manufacturers_id=' . $HTTP_GET_VARS['manufacturers_id'])); } // add the products model to the breadcrumb trail if (isset($HTTP_GET_VARS['products_id'])) { $model_query = tep_db_query("select products_model from " . TABLE_PRODUCTS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "'"); $model = tep_db_fetch_array($model_query); $breadcrumb->add($model['products_model'], tep_href_link(FILENAME_PRODUCT_INFO, 'cPath=' . $cPath . '&products_id=' . $HTTP_GET_VARS['products_id'])); } // set which precautions should be checked define('WARN_INSTALL_EXISTENCE', 'true'); define('WARN_CONFIG_WRITEABLE', 'true'); define('WARN_SESSION_DIRECTORY_NOT_WRITEABLE', 'true'); define('WARN_SESSION_AUTO_START', 'true'); define('WARN_DOWNLOAD_DIRECTORY_NOT_READABLE', 'true'); ?>
jdvb Posted December 6, 2006 Author Posted December 6, 2006 old version indeed. insert at the bottom: $http_user_agent = getenv('HTTP_USER_AGENT'); if (!tep_session_is_registered('SESSION_USER_AGENT')) { $SESSION_USER_AGENT = $http_user_agent; tep_session_register('SESSION_USER_AGENT'); } if ($SESSION_USER_AGENT != $http_user_agent) { tep_session_destroy(); $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); } if (isset($_GET[tep_session_name()])) { if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) { unset($_GET[tep_session_name()]); } $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); }
micetrap Posted December 6, 2006 Posted December 6, 2006 I added that to the bottom and now when I add an item to the cart, I get this message: Your Shopping Cart is empty! // set which precautions should be checked define('WARN_INSTALL_EXISTENCE', 'true'); define('WARN_CONFIG_WRITEABLE', 'true'); define('WARN_SESSION_DIRECTORY_NOT_WRITEABLE', 'true'); define('WARN_SESSION_AUTO_START', 'true'); define('WARN_DOWNLOAD_DIRECTORY_NOT_READABLE', 'true'); $http_user_agent = getenv('HTTP_USER_AGENT'); if (!tep_session_is_registered('SESSION_USER_AGENT')) { $SESSION_USER_AGENT = $http_user_agent; tep_session_register('SESSION_USER_AGENT'); } if ($SESSION_USER_AGENT != $http_user_agent) { tep_session_destroy(); $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); } if (isset($_GET[tep_session_name()])) { if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) { unset($_GET[tep_session_name()]); } $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); } $http_user_agent = getenv('HTTP_USER_AGENT'); if (!tep_session_is_registered('SESSION_USER_AGENT')) { $SESSION_USER_AGENT = $http_user_agent; tep_session_register('SESSION_USER_AGENT'); } if ($SESSION_USER_AGENT != $http_user_agent) { tep_session_destroy(); $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); } if (isset($_GET[tep_session_name()])) { if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) { unset($_GET[tep_session_name()]); } $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); } ?>
jdvb Posted December 6, 2006 Author Posted December 6, 2006 first of all, you aplied the patch twice (remove one instance) but this would not be the problem I guess, since on failure the second would not be executed du to the exit() command. for this version of the fix you need to store your sessions to file (not mysql for this post, mysql fix posted first). can you replace the sessions.php file with the latest version? perhaps the problem now originates there. you could also try to skip the user agent check and remove that part of the fix (more chanche on wrong customer signing in): $http_user_agent = getenv('HTTP_USER_AGENT'); if (!tep_session_is_registered('SESSION_USER_AGENT')) { $SESSION_USER_AGENT = $http_user_agent; tep_session_register('SESSION_USER_AGENT'); } if ($SESSION_USER_AGENT != $http_user_agent) { tep_session_destroy(); $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); } i.e. you will just keep this part: if (isset($_GET[tep_session_name()])) { if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) { unset($_GET[tep_session_name()]); } $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); }
micetrap Posted December 6, 2006 Posted December 6, 2006 I fixed this and then uploaded new sessions.php to /functions/ and /classes/ and I still get: Your Shopping Cart is empty! I even tried using the old application_top.php with the new sessions.php and still get Your Shopping Cart is empty!
jdvb Posted December 6, 2006 Author Posted December 6, 2006 then try setting up a copy of your store, see to it that gets updated to the latest version that is now available, and then aply the patch to that one. If database mutations are required, do run on a copy of your live database then, so you will not screw up the live site. if it works, then replace the live site. i.e. install the new version in /cart2/ then when all works, rename /cart/ to /cart3/ and rename /cart2/ to /cart/ and edit your config files to match the altered locations. edit: this higly recomended for security reasons too
jdvb Posted December 6, 2006 Author Posted December 6, 2006 if you are really lazy and don't want your site to be secure, you could also try to not update and try storing the session in the mysql database. that fix might be less version specific. then you just add this code to the bottom of aplication_top.php if(isset($HTTP_GET_VARS['osCsid'])) { $sessionisnotactive = $HTTP_GET_VARS['osCsid']; $value_query = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($sessionisnotactive) . "' and expiry > '" . time() . "'"); $value = tep_db_fetch_array($value_query); if (!isset($value['value'])) { tep_session_destroy(); $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); } } still I urge you to do some upgrading, even when this works you still are in danger of some vulnerablilities discoverd in the past few years.
jdvb Posted December 6, 2006 Author Posted December 6, 2006 oeps, the page redirection for the file based session was a litle incorrect... corrected here: if (isset($_GET[tep_session_name()])) { if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) { unset($_GET[tep_session_name()]); $newpagetoredirectto = $_SERVER['REQUEST_URI']; $newpagetoredirectto = preg_replace("#(.*?)\??osCsid=(.*)#s", "\\1", $newpagetoredirectto); header("HTTP/1.1 301 Moved Permanently"); header("location: $newpagetoredirectto"); exit(); } }
micetrap Posted December 11, 2006 Posted December 11, 2006 I am not lazy, I have tried using the upgrade script before, but there were errors and I couldn't get it to work properly. This problem only happens every once in a while, but I realize I need to fix it. If I do a fresh install, I need to figure how to import my current customer, product and order information. I also want the cvv2 information in the credit card process. It's not that I am lazy, it's that it is complicated to upgrade since I've made a lot of modications to the old files. The only problem I have right now is with the sessions and I'd hate to have a lot of downtime smack dab in the middle of the holiday season. I wish there was a solution with the current version of Oscommerce I am using.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.