Black_cage85 Posted June 20, 2007 Posted June 20, 2007 Hi I'm wondering if anyone can help me, I have a osCommerce shop up and running, but have recently found a problem with my session set-up. Google has stored the session ID at the end of my page ranking so when people enter the site they all use the same ID, my system is set to check SSL Session ID, IP Address, and User Agents, and if it's a different user for the session ID sends them to the home page. This all works fine except for the fact that when people go back to login it uses the same session ID that was given it by google and assigns it to them and takes it off the other user. Now this user is kicked out of the HTTPS section and sent to the home page but still using the same session ID. This can be an unending cycle of everybody taking the same session ID. I'm wondering how I can get osCommerce to clear the stored session and and create a new one when it detects they are a different user to the one stored for that particular session? I have tried disabling the osCsid at the end of the URL but it still passes the session ID somehow and I don't know how to stop it doing this. I have Force Cookie Use set to False and Recreate Session set to True. This is my redirect code, i tried all three redirects separately but neither worked. tep_session_destroy(); tep_redirect(tep_href_link(FILENAME_DEFAULT, tep_get_all_get_params(array(tep_session_name())), 'NONSSL', false)); tep_redirect(tep_href_link(FILENAME_DEFAULT)); tep_redirect(tep_href_link(FILENAME_DEFAULT, tep_get_all_get_params(array()), 'NONSSL', false)); Many Thanks for any help in advance Paul
Guest Posted June 20, 2007 Posted June 20, 2007 Hi I'm wondering if anyone can help me, I have a osCommerce shop up and running, but have recently found a problem with my session set-up. Google has stored the session ID at the end of my page ranking so when people enter the site they all use the same ID, my system is set to check SSL Session ID, IP Address, and User Agents, and if it's a different user for the session ID sends them to the home page. This all works fine except for the fact that when people go back to login it uses the same session ID that was given it by google and assigns it to them and takes it off the other user. Now this user is kicked out of the HTTPS section and sent to the home page but still using the same session ID. This can be an unending cycle of everybody taking the same session ID. I'm wondering how I can get osCommerce to clear the stored session and and create a new one when it detects they are a different user to the one stored for that particular session? I have tried disabling the osCsid at the end of the URL but it still passes the session ID somehow and I don't know how to stop it doing this. I have Force Cookie Use set to False and Recreate Session set to True. This is my redirect code, i tried all three redirects separately but neither worked. tep_session_destroy(); tep_redirect(tep_href_link(FILENAME_DEFAULT, tep_get_all_get_params(array(tep_session_name())), 'NONSSL', false)); tep_redirect(tep_href_link(FILENAME_DEFAULT)); tep_redirect(tep_href_link(FILENAME_DEFAULT, tep_get_all_get_params(array()), 'NONSSL', false)); Many Thanks for any help in advance Paul in your osc admin->configuration->sessions->prevent spiders sessions set it to true. Then install the session regeneration to protect your customers private info. http://www.oscommerce.com/community/contributions,4112
Black_cage85 Posted June 20, 2007 Author Posted June 20, 2007 my prevent spiders was set to true but it still got that information somehow. I've installed that contribution and it did what I wanted so thanks, never thought to look for regeneration. Paul
Guest Posted June 20, 2007 Posted June 20, 2007 my prevent spiders was set to true but it still got that information somehow.I've installed that contribution and it did what I wanted so thanks, never thought to look for regeneration. Paul If the prevent spiders switch was originally set to true then that should not had happened by itself. Unless... you have one or more hard-coded links in your store with the session appended. (For example I've seen cases where they copied the link from the address bar of the browser and they paste it in the products description). Something like this can put you in lots of trouble.
Black_cage85 Posted June 20, 2007 Author Posted June 20, 2007 If the prevent spiders switch was originally set to true then that should not had happened by itself. Unless... you have one or more hard-coded links in your store with the session appended. (For example I've seen cases where they copied the link from the address bar of the browser and they paste it in the products description). Something like this can put you in lots of trouble. Well my code is setup in a very unique way, it runs multiple affiliates and sites off the one code base, using one ssl certificate for all shops, so it does pass the osCsid in URL when the users goes from NONSSL to SSL, so that could be where google retrieved the data from, but i don't hard code it anywhereo, and the prevent spiders has always been turned on so that's the only place I can think it gets it from
Guest Posted June 20, 2007 Posted June 20, 2007 Well my code is setup in a very unique way, it runs multiple affiliates and sites off the one code base, using one ssl certificate for all shops, so it does pass the osCsid in URL when the users goes from NONSSL to SSL, so that could be where google retrieved the data from, but i don't hard code it anywhereo, and the prevent spiders has always been turned on so that's the only place I can think it gets it from no, google won't see that because the spiders.txt is read by osc and if a spider is found there is no session generation. You could also use the latest spiders.txt to be on the safe side, http://www.oscommerce.com/community/contributions,2455 but that was not the root of the problem. Multi-stores use different configuration tables right? So you need to ensure that session configurations for each store are set properly.
Black_cage85 Posted June 20, 2007 Author Posted June 20, 2007 no, google won't see that because the spiders.txt is read by osc and if a spider is found there is no session generation. You could also use the latest spiders.txt to be on the safe side, http://www.oscommerce.com/community/contributions,2455 but that was not the root of the problem. Multi-stores use different configuration tables right? So you need to ensure that session configurations for each store are set properly. All the shops run off one configuration file, but that sets variables unique to each shop depending on what it receives from the $_SERVER variables. The HTTPS server is always the same The HTTP_SERVER and is set as $_SERVER['SERVER_NAME'] initially but then stored in session so that when navigating between NONSSL and SSL the theme is the same The HTTP_COOKIE_DOMAIN and is set as $_SERVER['SERVER_NAME'] The sessions are stored in mysql does that all sound correct or have I missed something that could be causing this problem?
Guest Posted June 20, 2007 Posted June 20, 2007 I don't know which multi-store module you're using. You could look your database with phpmyadmin see if you have configuration_storename tables. These are the tables I am talking about. And so when you change store via your osc Admin the configuration table is different. I am not sure what you mean with the php globals that's not what I'm refering to.
Black_cage85 Posted June 20, 2007 Author Posted June 20, 2007 I don't know which multi-store module you're using. You could look your database with phpmyadmin see if you have configuration_storename tables. These are the tables I am talking about. And so when you change store via your osc Admin the configuration table is different. I am not sure what you mean with the php globals that's not what I'm refering to. I wrote the system for multiple shops myself so I'm not using a standard module, i said about the php globals because you said have i set-up my variables correctly, so i tried to explain how mine were setup
Guest Posted June 20, 2007 Posted June 20, 2007 I wrote the system for multiple shops myself so I'm not using a standard module, i said about the php globals because you said have i set-up my variables correctly, so i tried to explain how mine were setup variables? I did not mention variables, I mentioned configuration switches.
tigergirl Posted June 21, 2007 Posted June 21, 2007 Hi you could also install spider session remover contribution, this will help rid the search engines of SIDs. It seems to be working for me with the so called "google dance" and I have less results with sids listed now. I also have enigmas Session Regeneration contribution installed. Tiger I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire
Black_cage85 Posted June 21, 2007 Author Posted June 21, 2007 variables? I did not mention variables, I mentioned configuration switches. Sorry i misunderstood what you said before, I was trying to explain how my store is configured. Which configuration switches are you on about that could affect the osCsid appearing? and thanks tigergirl I've installed that module so will just have to wait and see what happens :)
Guest Posted June 21, 2007 Posted June 21, 2007 Sorry i misunderstood what you said before, I was trying to explain how my store is configured. Which configuration switches are you on about that could affect the osCsid appearing? and thanks tigergirl I've installed that module so will just have to wait and see what happens :) in your osc admin->configuration->sessions check the settings for each store. You must have a switch to switch stores somewhere right? Do the session settings change?
Black_cage85 Posted June 21, 2007 Author Posted June 21, 2007 in your osc admin->configuration->sessionscheck the settings for each store. You must have a switch to switch stores somewhere right? Do the session settings change? No all the shop run off the same session settings, with all values set to true except force cookie use which is false. The variable HTTP_COOKIE_DOMAIN is the only thing that changes for each shop, which gets set to $_SERVER['SERVER_NAME']. It switches between stores when goes to the HTTPS domain which is always the same, but it keeps HTTP domain the same as the store they first entered on by storing a setting in the session
Guest Posted June 21, 2007 Posted June 21, 2007 No all the shop run off the same session settings, with all values set to true except force cookie use which is false. The variable HTTP_COOKIE_DOMAIN is the only thing that changes for each shop, which gets set to $_SERVER['SERVER_NAME']. It switches between stores when goes to the HTTPS domain which is always the same, but it keeps HTTP domain the same as the store they first entered on by storing a setting in the session ok then, the next step would be to check the user agent. When it is set to the google bot (or any other spider) sessions should not be appended with the urls. After that you could monitor the server logs for the google ip to see on the next visit if it still retrieves urls with sessions.
Black_cage85 Posted June 22, 2007 Author Posted June 22, 2007 ok then, the next step would be to check the user agent. When it is set to the google bot (or any other spider) sessions should not be appended with the urls. After that you could monitor the server logs for the google ip to see on the next visit if it still retrieves urls with sessions. ok thanks, i'll try that and will see how it handles google and if google will get rid of the osCsid in time Many Thanks Paul
Recommended Posts
Archived
This topic is now archived and is closed to further replies.