jake seymour Posted July 6, 2007 Share Posted July 6, 2007 Here is the quick rundown: I own LuckyThreadz.com. http://plasticbag.org hotlinked one of my shirts ..... WITH THE SESSION ID ATTACHED TO IT!!! I have people now coming to my site off of a hotlinked url with a session id attached to it. here is the url that was plugged: http://www.luckythreadz.com/product_info.p...007296086c6c924 This is far worse than spiders. Without resorting to forcing cookie use, what is the best option to fix this? Has anyone else come across this? Can I do a mod rewrite in the .htaccess file that would change the url and issue a 301 for each individual user that comes from any hotlinked url out there? Is there a way to strip the oscsid from any url that comes from a different web page that does not carry my root domain url? Oscommerce is great! BUT - this HUGE hole wasn't considered when they took into account that folks like to share their awesome interwebz finds. Is there anyone out there what any idea what i'm even talking about? Link to comment Share on other sites More sharing options...
tigergirl Posted July 6, 2007 Share Posted July 6, 2007 Hi, poor you first off - darned sids - and idiot people. Second, it's not a security flaw - this could happen to anyone but we all need to be aware of it... Third - it's not hotlinking as that's when people link to images on your site and suck your bandwidth which can be blocked in your hosts cpanel. What you need to do to fix: 1) ensure spiders aren't getting sessions IDs - admin, configuration, sessions - prevent spider session TRUE 2) Install Session Regeneration Contribution (so people following link get a new session id on log-in, create account etc) 3) Install Spider Session Remover Contribution (if you have session ids listed on search engines due to point 1 being set to false) That should improve this for you. Best of luck Tiger I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
satish Posted July 6, 2007 Share Posted July 6, 2007 in application_top.php place a code if session id == *****924 destroy session. And in admin session setting there is recreate new session option use that. Satish Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site. Check My About US For who am I and what My company does. Link to comment Share on other sites More sharing options...
tigergirl Posted July 6, 2007 Share Posted July 6, 2007 in application_top.php place a code if session id == *****924 destroy session. And in admin session setting there is recreate new session option use that. Satish Hi, what about any other session ids that people might enter the site with??? Tiger I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
jake seymour Posted July 6, 2007 Author Share Posted July 6, 2007 Hi,what about any other session ids that people might enter the site with??? Tiger Actually, I think satish has it.... Satish, what are the chances that you could talk you into dropping the code needed into this thread? Your solution seems to be the easiest stop-gap solution. Tiger - this is happening on a one by one basis. Spiders are indexing my site sans session id's... I'm using a modified version of Ultimate Seo Url's. My problem lies within folks vsiting my site, and dropping my shirts on their sites with a damn session id. I've been up and down the message boards trying to find a solution for this. As far as I'm concerned, this is a security flaw. At one of the most innocent levels available, but never the less, it's a flaw that should be addressed. Link to comment Share on other sites More sharing options...
tigergirl Posted July 6, 2007 Share Posted July 6, 2007 As far as I'm concerned, this is a security flaw. At one of the most innocent levels available, but never the less, it's a flaw that should be addressed. Hi there, Session Regeneration addresses it - so you wont ever have a problem with two customers getting to see the other persons personal details or mixing up carts. Have a read on the forums - it happens. One time is one too many. The code Satish posted will only work for the session id mentioned (I think, could be wrong) - what if more people hard code a link with sids that you don't know about? All the best Tiger I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
dynamoeffects Posted July 6, 2007 Share Posted July 6, 2007 What's wrong with forcing cookie usage? It would solve your problem in one step and would affect very few people (if any). Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail. Link to comment Share on other sites More sharing options...
Guest Posted July 6, 2007 Share Posted July 6, 2007 What's wrong with forcing cookie usage? It would solve your problem in one step and would affect very few people (if any). the primary problem with this is that won't work with servers with shared SSL. And that will affect the majority of stores. Link to comment Share on other sites More sharing options...
jake seymour Posted July 6, 2007 Author Share Posted July 6, 2007 What's wrong with forcing cookie usage? It would solve your problem in one step and would affect very few people (if any). satish's method is perfect. I watch my stats like a hawk, and i know where my traffic comes from. I've had a handful of folks plug me with the session id attached. If it takes me going in, and adding a line of code for each of those session id's - so be it... I'll add code until i'm blue in the face. Force Cookie use... Where do I begin. Alright.. I'm using FEC (heavily modified version of course) and when i send my customer to athorize.net for a credit card transaction, they come back, and get sent to a login page. Yeah - I'm completely aware that authorize.net has a lil' section where one can drop in the page where they are redirected, but understand - when i send my user to authorize.net - and they put in the wrong credit card information, the come back to my site from authrorize.net - that null and voids the cookie becuase my customer is now sitting on authorize.net's server (which don't accept my cookies) - which means that I can't use force cookie use. The work around for this, is to add some code (which is beyond me) into application_top.php which tells specific pages in my checkout process to not force cookie use. Another good point as well - error messages when the user accidently uses the wrong credit card number, or expiration date. Since the user is no longer on my site, this nullifes the cookies, and the error messages do not work. So - i've got my head around this problem, and best possible solution that would solve this all together is if rather the was a "get" VS "post" for the session id in the url. AFter one or 2 clicks, the session id dissappears - why can't it happen all together? or make it transparent to the customer? Link to comment Share on other sites More sharing options...
jake seymour Posted July 6, 2007 Author Share Posted July 6, 2007 Hi there,Session Regeneration addresses it - so you wont ever have a problem with two customers getting to see the other persons personal details or mixing up carts. Have a read on the forums - it happens. One time is one too many. The code Satish posted will only work for the session id mentioned (I think, could be wrong) - what if more people hard code a link with sids that you don't know about? All the best Tiger Session generation only partially addresses it. I'm using Fast Easy Checkout. If 2 people use the same session id, they can still make to checkout_success.php. Where the flaw is in fast easy checkout, i couldn't tell you. But yes - the session should be regenerated when they land on create_account3.php (or create_account.php for that matter).... Actually, NO - the session should be regenerated as soon as the customer lands on my site. Even if there is a session attached to the url they followed. but - then if that's the case, when they pay with a credit card, and leave my site for a minute to head over to authorize.net, it'll kill their session, and wipe out their cart. Especially if they receive an error message for typing in the wrong cc info.... This is so complicated..... How do we get this in front of the gurus that designed oscommerce? Link to comment Share on other sites More sharing options...
Guest Posted July 6, 2007 Share Posted July 6, 2007 satish's method is perfect. I watch my stats like a hawk, and i know where my traffic comes from. I've had a handful of folks plug me with the session id attached. If it takes me going in, and adding a line of code for each of those session id's - so be it... I'll add code until i'm blue in the face. problem with this is you need to know what sessions are indexed in advance. So it maybe too late by the time you figure that out. Force Cookie use... Where do I begin. Alright.. I'm using FEC (heavily modified version of course) and when i send my customer to athorize.net for a credit card transaction, they come back, and get sent to a login page. Yeah - I'm completely aware that authorize.net has a lil' section where one can drop in the page where they are redirected, but understand - when i send my user to authorize.net - and they put in the wrong credit card information, the come back to my site from authrorize.net - that null and voids the cookie becuase my customer is now sitting on authorize.net's server (which don't accept my cookies) - which means that I can't use force cookie use. To get around it in application_top.php you replace the code where it sets the session something like: // set the session ID if it exists $g_force = false; if (isset($HTTP_POST_VARS[tep_session_name()])) { tep_session_id($HTTP_POST_VARS[tep_session_name()]); $g_force = true; } elseif ( ($request_type == 'SSL') && isset($HTTP_GET_VARS[tep_session_name()]) ) { tep_session_id($HTTP_GET_VARS[tep_session_name()]); $g_force = true; } // start the session $session_started = false; if (SESSION_FORCE_COOKIE_USE == 'True') { tep_setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $cookie_path, $cookie_domain); if( isset($HTTP_COOKIE_VARS['cookie_test']) || $g_force == true) { tep_session_start(); $session_started = true; } } elseif (SESSION_BLOCK_SPIDERS == 'True') { $user_agent = strtolower(getenv('HTTP_USER_AGENT')); $spider_flag = false; if (tep_not_null($user_agent)) { $spiders = file(DIR_WS_INCLUDES . 'spiders.txt'); for ($i=0, $n=sizeof($spiders); $i<$n; $i++) { if (tep_not_null($spiders[$i])) { if (is_integer(strpos($user_agent, trim($spiders[$i])))) { $spider_flag = true; break; } } } } if ($spider_flag == false) { tep_session_start(); $session_started = true; } } else { tep_session_start(); $session_started = true; } that will force the session to start even when the cookie is not sent. Actually, NO - the session should be regenerated as soon as the customer lands on my site. Even if there is a session attached to the url they followed. but - then if that's the case, when they pay with a credit card, and leave my site for a minute to head over to authorize.net, it'll kill their session, and wipe out their cart. Especially if they receive an error message for typing in the wrong cc info.... and to have something reliable for this, you may have to do few changes. Extend the sessions table to accommodate and store IPs. Then check the ip with the session for every access. If 2 or more ips show the same session you call the session regeneration function for the one that has the longer expiration time. Link to comment Share on other sites More sharing options...
jake seymour Posted July 6, 2007 Author Share Posted July 6, 2007 problem with this is you need to know what sessions are indexed in advance. So it maybe too late by the time you figure that out.To get around it in application_top.php you replace the code where it sets the session something like: // set the session ID if it exists $g_force = false; if (isset($HTTP_POST_VARS[tep_session_name()])) { tep_session_id($HTTP_POST_VARS[tep_session_name()]); $g_force = true; } elseif ( ($request_type == 'SSL') && isset($HTTP_GET_VARS[tep_session_name()]) ) { tep_session_id($HTTP_GET_VARS[tep_session_name()]); $g_force = true; } // start the session $session_started = false; if (SESSION_FORCE_COOKIE_USE == 'True') { tep_setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $cookie_path, $cookie_domain); if( isset($HTTP_COOKIE_VARS['cookie_test']) || $g_force == true) { tep_session_start(); $session_started = true; } } elseif (SESSION_BLOCK_SPIDERS == 'True') { $user_agent = strtolower(getenv('HTTP_USER_AGENT')); $spider_flag = false; if (tep_not_null($user_agent)) { $spiders = file(DIR_WS_INCLUDES . 'spiders.txt'); for ($i=0, $n=sizeof($spiders); $i<$n; $i++) { if (tep_not_null($spiders[$i])) { if (is_integer(strpos($user_agent, trim($spiders[$i])))) { $spider_flag = true; break; } } } } if ($spider_flag == false) { tep_session_start(); $session_started = true; } } else { tep_session_start(); $session_started = true; } that will force the session to start even when the cookie is not sent. and to have something reliable for this, you may have to do few changes. Extend the sessions table to accommodate and store IPs. Then check the ip with the session for every access. If 2 or more ips show the same session you call the session regeneration function for the one that has the longer expiration time. Man.... I wish I knew more about php... I'm simply a front end developer.... If you could lend me a hand with this problem, i'm more than happy to throw together some super sweet dom scripts, and some other dom programming for you :) Hell - i extend offer this to anyone actually! Look through my site, and let me know if there is any front-end functionality that you see that you might like: http://luckythreadz.com Be sure to look at the source code as well... To get an idea.. Cheers Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.