Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Google Checkout working BUT allows spiders to pick up session ids?


lostndazed

Recommended Posts

In my admin, I have the option to "Prevent Spider Sessions" under admin -> Configuration -> Sessions.

 

If I set "Prevent Spider Sessions" to False, then my Google Checkout will tell my db to remove the item just purchased.

But then all spiders can pick up session ids in their crawls, right? Or am I mistaken? And isn't that a security/shopping cart problem?

 

If I set "Prevent Spider Sessions" to True, then I have to manually set the item as sold in my db. Also doesn't update the shopping cart.

 

Is there some other way for me to kill session ids for crawling spiders, but allow Google Checkout the session id?

Link to comment
Share on other sites

In includes/application_top.php : can I change the code to allow Google Checkout (https://checkout.google.com/) to get and send session ids? My spiders.txt does not appear to include googlebot.

 

// start the session
 $session_started = false;
 if (SESSION_FORCE_COOKIE_USE == 'True') {
tep_setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $cookie_path, $cookie_domain);

if (isset($HTTP_COOKIE_VARS['cookie_test'])) {
  tep_session_start();
  $session_started = true;
}
 } elseif (SESSION_BLOCK_SPIDERS == 'True') {
$user_agent = strtolower(getenv('HTTP_USER_AGENT'));
$spider_flag = false;

if (tep_not_null($user_agent)) {
  $spiders = file(DIR_WS_INCLUDES . 'spiders.txt');

  for ($i=0, $n=sizeof($spiders); $i<$n; $i++) {
	if (tep_not_null($spiders[$i])) {
	  if (is_integer(strpos($user_agent, trim($spiders[$i])))) {
		$spider_flag = true;
		break;
	  }
	}
  }
}

if ($spider_flag == false) {
  tep_session_start();
  $session_started = true;
}
 } else {
tep_session_start();
$session_started = true;
 }

// set SID once, even if empty
 $SID = (defined('SID') ? SID : '');

// verify the ssl_session_id if the feature is enabled
 if ( ($request_type == 'SSL') && (SESSION_CHECK_SSL_SESSION_ID == 'True') && (ENABLE_SSL == true) && ($session_started == true) ) {
$ssl_session_id = getenv('SSL_SESSION_ID');
if (!tep_session_is_registered('SSL_SESSION_ID')) {
  $SESSION_SSL_ID = $ssl_session_id;
  tep_session_register('SESSION_SSL_ID');
}

if ($SESSION_SSL_ID != $ssl_session_id) {
  tep_session_destroy();
  tep_redirect(tep_href_link(FILENAME_SSL_CHECK));
}
 }

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...