Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Session Id issue


janetgot

Recommended Posts

Hello, I'm having an issue on one of my older sites that has a ton of modifications. The session id is displayed as soon as you click through to any page off the home page and never goes away. On my other sites, it isn't displayed at all.

 

Once I've added my address, and go to checkout_shipping.php, if I click on the Change Address button, I see other people's address book, click into account, I see other accounts. Yikes!

 

Can somebody point me in the right direction for fixing this issue? I'm scouring the forums and have tried several things, but none has resolved the issue so far.

 

Here are my configuration file properties (with url and data info removed):

 

<?php

/*

$Id: configure.php,v 1.14 2003/07/09 01:15:48 hpdl Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.mystore.com/'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.mystore.com/'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'http://www.mystore.com/');

define('HTTP_MAIL_DOMAIN', 'http://www.mystore.com/');

define('HTTPS_COOKIE_DOMAIN', 'mystore.com/');

define('HTTP_COOKIE_PATH', '');

define('HTTPS_COOKIE_PATH', '');

define('DIR_WS_HTTP_CATALOG', '');

define('DIR_WS_HTTPS_CATALOG', '');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']));

define('DIR_FS_CATALOG', 'http://www.mystore.com/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

// define our database connection

define('DB_SERVER', ''); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', '');

define('DB_SERVER_PASSWORD', '');

define('DB_DATABASE', '');

define('USE_PCONNECT', 'false'); // use persistent connections?

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

// STS: ADD: Define Simple Template System files

define('STS_START_CAPTURE', DIR_WS_INCLUDES . 'sts_start_capture.php');

define('STS_STOP_CAPTURE', DIR_WS_INCLUDES . 'sts_stop_capture.php');

define('STS_RESTART_CAPTURE', DIR_WS_INCLUDES . 'sts_restart_capture.php');

define('STS_TEMPLATE_DIR', DIR_WS_INCLUDES . 'sts_templates/');

define('STS_DEFAULT_TEMPLATE', DIR_WS_INCLUDES . 'sts_template.html');

define('STS_DISPLAY_OUTPUT', DIR_WS_INCLUDES . 'sts_display_output.php');

define('STS_USER_CODE', DIR_WS_INCLUDES . 'sts_user_code.php');

define('STS_PRODUCT_INFO', DIR_WS_INCLUDES . 'sts_product_info.php');

// STS: EOADD

?>

 

 

Here is my Sessions Config from the admin panel:

 

Session Directory /tmp

Force Cookie Use False

Check SSL Session ID False

Check User Agent False

Check IP Address False

Prevent Spider Sessions True

Recreate Session False

 

Many thanks!

Janet

Link to comment
Share on other sites

If you turn on 'force cookie use' in sessions, you will never see the sid.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

If you turn on 'force cookie use' in sessions, you will never see the sid.

 

Hi, thanks for your suggestion. I had actually seen your recommendation to somebody else and tried it. But even though I don't have cookies disabled, when I go to checkout, I still get the Cookie Usage page instead of going to checkout. And I've also read that forcing cookies will lose customers... I have Purchase Without Account installed, but I don't know if that is contributing to the issue or not.

 

Is there another fix to look into?

 

Thanks,

Janet

Link to comment
Share on other sites

I've been playing around with this and installed the Session Start Mod http://addons.oscommerce.com/info/2913 which is to prevent session id's from being created until login. So now the site doesn't show any session id's, but when I checkout, if I hit the Change Adress button on the checkout_shipping.php page, it shows an address book (I'm checking out as a guest, so I don't have an account to hold an address book), and if I hit the "My Account" link it shows 95 orders from other people... with address info. OMG.

 

Any help is greatly appreciated... as you can imagine, I need to fix this NOW.

Link to comment
Share on other sites

Update... I removed the Session Start Mod, as after I installed it, I kept getting the Cookie Usage page instead of going to checkout.

 

I have turned on the Recreate Session ID again and have been noting the ID's, which are unique when I go into the checkout page... however no matter what the session ID is I can still see the same customer info...

Link to comment
Share on other sites

I think your concern over cookies is unfounded, have a look at this thread for more.

 

http://forums.***.com/index.php?sho...entry2027

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Backup before you do this. Edit your includes/configure.php file to reflect these.

 

From this:

define('HTTP_SERVER', 'http://www.mystore.com/'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.mystore.com/'); // eg, https://localhost - should not be empty for productive servers

define('HTTP_COOKIE_DOMAIN', 'http://www.mystore.com/');

define('HTTPS_COOKIE_DOMAIN', 'mystore.com/');

define('HTTP_COOKIE_PATH', '');

define('HTTPS_COOKIE_PATH', '');

 

To this

define('HTTP_SERVER', 'http://www.mystore.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.mystore.com'); // eg, https://localhost - should not be empty for productive servers

define('HTTP_COOKIE_DOMAIN', '.mystore.com');

define('HTTPS_COOKIE_DOMAIN', '.mystore.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

Link to comment
Share on other sites

Backup before you do this. Edit your includes/configure.php file to reflect these.

 

From this:

define('HTTP_SERVER', 'http://www.mystore.com/'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.mystore.com/'); // eg, https://localhost - should not be empty for productive servers

define('HTTP_COOKIE_DOMAIN', 'http://www.mystore.com/');

define('HTTPS_COOKIE_DOMAIN', 'mystore.com/');

define('HTTP_COOKIE_PATH', '');

define('HTTPS_COOKIE_PATH', '');

 

To this

define('HTTP_SERVER', 'http://www.mystore.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.mystore.com'); // eg, https://localhost - should not be empty for productive servers

define('HTTP_COOKIE_DOMAIN', '.mystore.com');

define('HTTPS_COOKIE_DOMAIN', '.mystore.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

 

Hi Bryce, thanks so much for this code... I edited my configure file and tried it. The Session Id's are now gone, however, if I hit the account link or the address book I still see other people's info.

 

The site is so heavily modified that I'm at a loss where to hunt. My solution for the moment is to remove those links completely and rebuild the site with the latest build as soon as possible. I'd still love to fix the problem in the interim though!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...