Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Reset Session Id


Black_cage85

Recommended Posts

Posted

Hi

 

I'm wondering if anyone can help me, I have a osCommerce shop up and running, but have recently found a problem with my session set-up. Google has stored the session ID at the end of my page ranking so when people enter the site they all use the same ID, my system is set to check SSL Session ID, IP Address, and User Agents, and if it's a different user for the session ID sends them to the home page. This all works fine except for the fact that when people go back to login it uses the same session ID that was given it by google and assigns it to them and takes it off the other user. Now this user is kicked out of the HTTPS section and sent to the home page but still using the same session ID. This can be an unending cycle of everybody taking the same session ID. I'm wondering how I can get osCommerce to clear the stored session and and create a new one when it detects they are a different user to the one stored for that particular session? I have tried disabling the osCsid at the end of the URL but it still passes the session ID somehow and I don't know how to stop it doing this.

 

I have Force Cookie Use set to False and Recreate Session set to True.

 

This is my redirect code, i tried all three redirects separately but neither worked.

 

tep_session_destroy();
tep_redirect(tep_href_link(FILENAME_DEFAULT, tep_get_all_get_params(array(tep_session_name())), 'NONSSL', false));
tep_redirect(tep_href_link(FILENAME_DEFAULT));
tep_redirect(tep_href_link(FILENAME_DEFAULT, tep_get_all_get_params(array()), 'NONSSL', false));

 

 

Many Thanks for any help in advance

Paul

Posted
Hi

 

I'm wondering if anyone can help me, I have a osCommerce shop up and running, but have recently found a problem with my session set-up. Google has stored the session ID at the end of my page ranking so when people enter the site they all use the same ID, my system is set to check SSL Session ID, IP Address, and User Agents, and if it's a different user for the session ID sends them to the home page. This all works fine except for the fact that when people go back to login it uses the same session ID that was given it by google and assigns it to them and takes it off the other user. Now this user is kicked out of the HTTPS section and sent to the home page but still using the same session ID. This can be an unending cycle of everybody taking the same session ID. I'm wondering how I can get osCommerce to clear the stored session and and create a new one when it detects they are a different user to the one stored for that particular session? I have tried disabling the osCsid at the end of the URL but it still passes the session ID somehow and I don't know how to stop it doing this.

 

I have Force Cookie Use set to False and Recreate Session set to True.

 

This is my redirect code, i tried all three redirects separately but neither worked.

 

tep_session_destroy();
tep_redirect(tep_href_link(FILENAME_DEFAULT, tep_get_all_get_params(array(tep_session_name())), 'NONSSL', false));
tep_redirect(tep_href_link(FILENAME_DEFAULT));
tep_redirect(tep_href_link(FILENAME_DEFAULT, tep_get_all_get_params(array()), 'NONSSL', false));

Many Thanks for any help in advance

Paul

in your osc admin->configuration->sessions->prevent spiders sessions set it to true. Then install the session regeneration to protect your customers private info.

http://www.oscommerce.com/community/contributions,4112

Posted

my prevent spiders was set to true but it still got that information somehow.

I've installed that contribution and it did what I wanted so thanks, never thought to look for regeneration.

 

Paul

Posted
my prevent spiders was set to true but it still got that information somehow.

I've installed that contribution and it did what I wanted so thanks, never thought to look for regeneration.

 

Paul

If the prevent spiders switch was originally set to true then that should not had happened by itself. Unless... you have one or more hard-coded links in your store with the session appended. (For example I've seen cases where they copied the link from the address bar of the browser and they paste it in the products description). Something like this can put you in lots of trouble.

Posted
If the prevent spiders switch was originally set to true then that should not had happened by itself. Unless... you have one or more hard-coded links in your store with the session appended. (For example I've seen cases where they copied the link from the address bar of the browser and they paste it in the products description). Something like this can put you in lots of trouble.

 

Well my code is setup in a very unique way, it runs multiple affiliates and sites off the one code base, using one ssl certificate for all shops, so it does pass the osCsid in URL when the users goes from NONSSL to SSL, so that could be where google retrieved the data from, but i don't hard code it anywhereo, and the prevent spiders has always been turned on so that's the only place I can think it gets it from

Posted
Well my code is setup in a very unique way, it runs multiple affiliates and sites off the one code base, using one ssl certificate for all shops, so it does pass the osCsid in URL when the users goes from NONSSL to SSL, so that could be where google retrieved the data from, but i don't hard code it anywhereo, and the prevent spiders has always been turned on so that's the only place I can think it gets it from

no, google won't see that because the spiders.txt is read by osc and if a spider is found there is no session generation. You could also use the latest spiders.txt to be on the safe side,

http://www.oscommerce.com/community/contributions,2455

 

but that was not the root of the problem. Multi-stores use different configuration tables right? So you need to ensure that session configurations for each store are set properly.

Posted
no, google won't see that because the spiders.txt is read by osc and if a spider is found there is no session generation. You could also use the latest spiders.txt to be on the safe side,

http://www.oscommerce.com/community/contributions,2455

 

but that was not the root of the problem. Multi-stores use different configuration tables right? So you need to ensure that session configurations for each store are set properly.

 

All the shops run off one configuration file, but that sets variables unique to each shop depending on what it receives from the $_SERVER variables.

 

The HTTPS server is always the same

The HTTP_SERVER and is set as $_SERVER['SERVER_NAME'] initially but then stored in session so that when navigating between NONSSL and SSL the theme is the same

The HTTP_COOKIE_DOMAIN and is set as $_SERVER['SERVER_NAME']

The sessions are stored in mysql

 

does that all sound correct or have I missed something that could be causing this problem?

Posted

I don't know which multi-store module you're using. You could look your database with phpmyadmin see if you have configuration_storename tables. These are the tables I am talking about. And so when you change store via your osc Admin the configuration table is different.

 

I am not sure what you mean with the php globals that's not what I'm refering to.

Posted
I don't know which multi-store module you're using. You could look your database with phpmyadmin see if you have configuration_storename tables. These are the tables I am talking about. And so when you change store via your osc Admin the configuration table is different.

 

I am not sure what you mean with the php globals that's not what I'm refering to.

 

I wrote the system for multiple shops myself so I'm not using a standard module, i said about the php globals because you said have i set-up my variables correctly, so i tried to explain how mine were setup

Posted
I wrote the system for multiple shops myself so I'm not using a standard module, i said about the php globals because you said have i set-up my variables correctly, so i tried to explain how mine were setup

variables? I did not mention variables, I mentioned configuration switches.

Posted

Hi

you could also install spider session remover contribution, this will help rid the search engines of SIDs. It seems to be working for me with the so called "google dance" and I have less results with sids listed now. I also have enigmas Session Regeneration contribution installed.

 

 

Tiger

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Posted
variables? I did not mention variables, I mentioned configuration switches.

 

Sorry i misunderstood what you said before, I was trying to explain how my store is configured. Which configuration switches are you on about that could affect the osCsid appearing?

 

and thanks tigergirl I've installed that module so will just have to wait and see what happens :)

Posted
Sorry i misunderstood what you said before, I was trying to explain how my store is configured. Which configuration switches are you on about that could affect the osCsid appearing?

 

and thanks tigergirl I've installed that module so will just have to wait and see what happens :)

in your osc admin->configuration->sessions

check the settings for each store. You must have a switch to switch stores somewhere right? Do the session settings change?

Posted
in your osc admin->configuration->sessions

check the settings for each store. You must have a switch to switch stores somewhere right? Do the session settings change?

 

No all the shop run off the same session settings, with all values set to true except force cookie use which is false. The variable HTTP_COOKIE_DOMAIN is the only thing that changes for each shop, which gets set to $_SERVER['SERVER_NAME'].

 

It switches between stores when goes to the HTTPS domain which is always the same, but it keeps HTTP domain the same as the store they first entered on by storing a setting in the session

Posted
No all the shop run off the same session settings, with all values set to true except force cookie use which is false. The variable HTTP_COOKIE_DOMAIN is the only thing that changes for each shop, which gets set to $_SERVER['SERVER_NAME'].

 

It switches between stores when goes to the HTTPS domain which is always the same, but it keeps HTTP domain the same as the store they first entered on by storing a setting in the session

ok then, the next step would be to check the user agent. When it is set to the google bot (or any other spider) sessions should not be appended with the urls. After that you could monitor the server logs for the google ip to see on the next visit if it still retrieves urls with sessions.

Posted
ok then, the next step would be to check the user agent. When it is set to the google bot (or any other spider) sessions should not be appended with the urls. After that you could monitor the server logs for the google ip to see on the next visit if it still retrieves urls with sessions.

 

ok thanks, i'll try that and will see how it handles google and if google will get rid of the osCsid in time

 

Many Thanks

Paul

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...