Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Idea for cookies in shared ssl - will it work?


seb1188

Recommended Posts

Hey,

 

I'm trying to work around the whole shared ssl problem. I don't want to use sessions as users leaving the website from a checkout process (something I commonly do once I see a total including shipping and tax) and going to another website would cause the next website owner to see the session ID in the address the user came from (referral stats). If that doesn't make sense, just think of the things in AwStats that shows where your visitors came from...

 

And encrypting the entire shop is bad as it slows it down and will show a different url for the entire time - this isn't good for my image!

 

So, I came up with a new idea. Tell me if it might work, and if you know how to do it that'd be REALLY helpful!

 

 

Whenever a customer puts anything in a shopping basket on the non-secure site, a cookie is written. So, when this happens, write that cookie, AND THEN RUN THE SCRIPT AGAIN but first forwarding to the shared ssl site, so the cookie is written for the shared ssl url, then return to the non-secure site. That way, the customer has added the item to the basket both in the standard shop and teh secure shop, thereby avoiding the empty basket problem on checkout or login when the site goes secure.

 

The same thing would happen whenever a cookie is written in any way (like removing an item) - run the cookie script twice, once from each site.

 

 

Can anyone see a huge problem with this before I desperately try and do it?

 

Is there a contribution that might already do this, part of it, or help at all? :huh:

 

Does anyone know a way in which this might be done?

 

 

 

Thanks for the help. I think finding a way to do this would be unimaginably helpful to sooo many people.

osCommerce is GREAT. When it works...

Link to comment
Share on other sites

I am not really sure what you are trying to achieve...

 

Are you simply trying to hide the session id from the site that the customer goes to next?

I didn't think many stats showed query string contents anyway... only the domain or URL...?

 

If you have cookies setup for your SSL and NONSSL pages, then as long as the customer has cookies enabled the session ID won't be in the URL anyway.

If they don't have cookies enabled then there is little you can do about it.

 

The idea of running a "parallel cart" is flawed because cart contents and session info is stored in the database, and it is the same information and database whether you are running via SSL or not.

 

Also, if you enable "Recreate Session" in your admin, then it doesn't matter who gets hold of the session id.

 

Sorry if i have missed the point, but i don't see any benefit to what you are trying to achieve.

 

Rob

Rob Bell - Inspired Graphix

Customising osCommerce in Australia, and the world!

View my profile for web and email links.

 

I'm sorry, but i cannot offer Free support via PM etc, and osCommerce forums prohibit me from putting any reference to paid support in my signauture.

However viewing my profile may provide links to my website or something like that which you may find useful.

Link to comment
Share on other sites

I am not really sure what you are trying to achieve...

 

...

 

The idea of running a "parallel cart" is flawed because cart contents and session info is stored in the database, and it is the same information and database whether you are running via SSL or not.

 

Also, if you enable "Recreate Session" in your admin, then it doesn't matter who gets hold of the session id.

 

Rob

 

Thanks for replying!

 

Ok, I'll try to be clearer. If I'm running a shared ssl, cookies don't work properly because for checkout and sign in it changes to the URL of the shared ssl, and that URL can't read the cookies from my non-ssl URL. For example, http://domain.com cookies holding cart contents are lost when user tries to pay and gets taken to https://securehost.domainhost.com/user instead. Turning force cookies to off overcomes this problem by using a session ID, but this can be a security risk, as it could enable other people to see a customer's personal details.

 

Are you saying that "Recreate Session" will prevent this security risk? When exactly will it recreate the session?

 

I would have been content with turning all the "Check IP" etc settings on, but have read that this will be problematic for some customers.

 

My "parallel cart" idea came about because it seems to me that it avoids the SID security risk, and also means cookies aren't a problem, as the cookie is stored by both domains, thus creating a secure, reliable site (well.. two sites really).

 

Alternatively, though from what I understand this is impossible, can the SSL domain be forced to read cookies from my shop domain?

 

If you search for threads about "empty cart on checkout" you will know exactly what my problem is! It's all because of crappy shared ssl, and unfortunately I wasn't aware that ssl would be such a problem with a shared IPA, and having already paid for my web hosting I can't really change (and their upgrade costs are a bit high).

osCommerce is GREAT. When it works...

Link to comment
Share on other sites

But osC sets a new cookie for the shared SSL's domain when it goes into SSL mode anyway, so only users with no cookies set will have this issue.

I have my clients setup on shared SSL with no problems at all.

If the cookies are not setting, you have an error in your configure.php.

 

The recreate session function basically assigns a new session id so people can't come in with the old one and view details etc.

It will recreate after session expiry, which i think is about 20 mins inactivity by default.

This is a sure fire way to stop this issue. I recommend EVERY store has it set to on.

 

Hope that helps.

 

Rob

Rob Bell - Inspired Graphix

Customising osCommerce in Australia, and the world!

View my profile for web and email links.

 

I'm sorry, but i cannot offer Free support via PM etc, and osCommerce forums prohibit me from putting any reference to paid support in my signauture.

However viewing my profile may provide links to my website or something like that which you may find useful.

Link to comment
Share on other sites

But osC sets a new cookie for the shared SSL's domain when it goes into SSL mode anyway, so only users with no cookies set will have this issue.

I have my clients setup on shared SSL with no problems at all.

 

Hope that helps.

 

Rob

 

May I see the first part of your configure.php file?

 

Thanks.

osCommerce is GREAT. When it works...

Link to comment
Share on other sites

Sorry no, since they are all for clients of mine, so it would be a breach of privacy.

 

However if you want to post yours, i will see if i find anything wrong.

 

Rob

Rob Bell - Inspired Graphix

Customising osCommerce in Australia, and the world!

View my profile for web and email links.

 

I'm sorry, but i cannot offer Free support via PM etc, and osCommerce forums prohibit me from putting any reference to paid support in my signauture.

However viewing my profile may provide links to my website or something like that which you may find useful.

Link to comment
Share on other sites

Sorry no, since they are all for clients of mine, so it would be a breach of privacy.

 

However if you want to post yours, i will see if i find anything wrong.

 

Rob

 

define('HTTP_SERVER', 'http://www.thesebweb.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://pluto.host-care.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'thesebweb.com');

define('HTTPS_COOKIE_DOMAIN', 'pluto.host-care.com');

define('HTTP_COOKIE_PATH', '/shop/');

define('HTTPS_COOKIE_PATH', '/~thesebwe/shop/');

define('DIR_WS_HTTP_CATALOG', '/shop/');

define('DIR_WS_HTTPS_CATALOG', '/~thesebwe/shop/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

 

I think that's more than you need to spot any errors.

 

It's the same problem a lot of people have, in that things added to the cart are not kept in the cart when the customer is redirected to the HTTPS server.

 

Thanks.

osCommerce is GREAT. When it works...

Link to comment
Share on other sites

I had a look at your store, and you are forcing cookie use - i therefore can't see what is happening with the sessions.

 

You are using a template store though, so it could have something to do with that (depending on the lazyness of the developer).

 

Rob

Rob Bell - Inspired Graphix

Customising osCommerce in Australia, and the world!

View my profile for web and email links.

 

I'm sorry, but i cannot offer Free support via PM etc, and osCommerce forums prohibit me from putting any reference to paid support in my signauture.

However viewing my profile may provide links to my website or something like that which you may find useful.

Link to comment
Share on other sites

I had a look at your store, and you are forcing cookie use - i therefore can't see what is happening with the sessions.

 

You are using a template store though, so it could have something to do with that (depending on the lazyness of the developer).

 

Rob

 

The templates fine. It's the same problem as the stock oscommerce store gives, and also another template I have used.

 

I'll turn force cookies off, but I was hoping to find a way to make cookies work to minimise security risks.

 

Thanks for looking!!!

osCommerce is GREAT. When it works...

Link to comment
Share on other sites

You indicated that you are using a shared SSL, with a shared SSL your site should only run correctly with "force cookie use" set to false. With force cookie set to on you should be having problems in even trying to force the cookie because Osc checks to see if the domains match and on a shared SSL that is not possible. If the domains for NonSSL and SSL dont match then forcing cookies isnt going to be possible and fully functionable. The safest way around your problem and not get session IDs is to use a full SSL and not a shared one, changing the name in your file to make them match will then remove the SSL capability and most likely break other parts of the site.

Link to comment
Share on other sites

You indicated that you are using a shared SSL, with a shared SSL your site should only run correctly with "force cookie use" set to false. With force cookie set to on you should be having problems in even trying to force the cookie because Osc checks to see if the domains match and on a shared SSL that is not possible. If the domains for NonSSL and SSL dont match then forcing cookies isnt going to be possible and fully functionable. The safest way around your problem and not get session IDs is to use a full SSL and not a shared one, changing the name in your file to make them match will then remove the SSL capability and most likely break other parts of the site.

 

Yes, I am aware of all of that which brings me back to the original point...

 

Surely it's possible to copy the cookie used on the unsecure domain to the cookie used on the secure domain. After all, the cookie only stored the session ID, does it not? And if one can pass details of a payment onto paypal, why can't this be passed on to the secure domain and added to the secure domain's cookie?

osCommerce is GREAT. When it works...

Link to comment
Share on other sites

From the way things are setup with comparing the domains for http and https are matching if you alter the code in order to bypass this issue and force the cookie then it seems as though you would lose the real function of SSL and you would lose security to bypass it, while I am sure some code guru could come up with a code to do it and still make the site appear secure, it seems as though the work around you are trying to do brings out a whole issue of ethics. If it were publicly made into a contribution it could be a scary thing because there are those who have no ethics and would use this bypass you are trying to do with the sole purpose of malicious intent. Personally I don't see how it can be done without compromising the SSL in some way, but maybe sleep deprivation is preventing me from seeing another way to accomplish what you want.

Link to comment
Share on other sites

From the way things are setup with comparing the domains for http and https are matching if you alter the code in order to bypass this issue and force the cookie then it seems as though you would lose the real function of SSL and you would lose security to bypass it, while I am sure some code guru could come up with a code to do it and still make the site appear secure, it seems as though the work around you are trying to do brings out a whole issue of ethics. If it were publicly made into a contribution it could be a scary thing because there are those who have no ethics and would use this bypass you are trying to do with the sole purpose of malicious intent. Personally I don't see how it can be done without compromising the SSL in some way, but maybe sleep deprivation is preventing me from seeing another way to accomplish what you want.

 

I kind of get what your saying, but could you give me an example of how it would lose security?

 

The only thing I can think of is that using the same SID and passing it between them means the SID isn't encrypted, so it could be stolen and used to find customer data unethically. But using sessions instead of cookies does this anyway. So what's the difference?

 

Plus recreate sessions isn't working on my site... the session ID remains the same whatever I do. I have php version 5.2.3.

 

And what's to stop an item number and a customer number being passed between secure and non-secure domains? These don't need to be encypted, as they won't reveal any personal deatils, but would allow osCommerce to work with shared SSL and cookies, effectively running two carts at the same time. The non-secure would show the customer as logged in, but to access information would require visiting the secure domain, where the cookie would be needed (which was produced on the customers computer only).

osCommerce is GREAT. When it works...

Link to comment
Share on other sites

The session needs to be expired, and no cookie present for the recreate session function to work.

 

I still don't really understand why you think you need to do this, but best of luck with it.

 

Rob

Rob Bell - Inspired Graphix

Customising osCommerce in Australia, and the world!

View my profile for web and email links.

 

I'm sorry, but i cannot offer Free support via PM etc, and osCommerce forums prohibit me from putting any reference to paid support in my signauture.

However viewing my profile may provide links to my website or something like that which you may find useful.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...