dreamscape Posted January 2, 2003 Posted January 2, 2003 hello all... I 1st posted this in the general chat and no go... so to follow forum rules, I am reposting it here in the hopes that it might get a little more attention in the installation/configuration area. ok now, since my SSL and nonSSL servers are the same domain (NO shared SSL), there is absolutely no need to propigate the SID into the URL when changing between SSL and nonSSL with cookies enabled (since the domain remains the same). problem is that OSC checks if you are switching between SSL and nonSSL rather than switching domains. anyways I would like to change the session function that if switching between SSL and nonSSL it does NOT propigate the SID into the URL if cookies are enabled (since there is no need to)... I believe the changes lie within this part of the tep_href_link found in functions/html_output.php: // Add the session ID when moving from HTTP and HTTPS servers or when SID is defined if ( (ENABLE_SSL == true) && ($connection == 'SSL') && ($add_session_id == true) ) { $sid = tep_session_name() . '=' . tep_session_id(); } elseif ( ($add_session_id == true) && (tep_not_null(SID)) ) { $sid = SID; } I am having trouble figuring out what I should make it though... removing the (ENABLE_SSL == true) && ($connection == 'SSL') && from the code just makes it that the SID is propigated all the time. I tried adding ($connection == 'NONSSL') into the code, thinking "what the heck" (hey I am no PHP guru)... the new code looked like: // Add the session ID when moving from HTTP and HTTPS servers or when SID is defined if ( (ENABLE_SSL == true) && ($connection == 'SSL') && ($connection == 'NONSSL') && ($add_session_id == true) ) { $sid = tep_session_name() . '=' . tep_session_id(); } elseif ( ($add_session_id == true) && (tep_not_null(SID)) ) { $sid = SID; } this seems to work, but I haven't tested it with cookies disabled... and since I am not a PHP guru, I don't know what the implications are... so any help on how I can accomplish what I am trying to, I would really really appriciate it. thanks for your time all. The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke
dreamscape Posted January 2, 2003 Author Posted January 2, 2003 ok I managed to test my code with cookies disabled and it doesn't affect it... the SID is propigated as should be with no cookies... the code that works: // Add the session ID when moving from HTTP and HTTPS servers or when SID is defined if ( (ENABLE_SSL == true) && ($connection == 'SSL') && ($connection == 'NONSSL') && ($add_session_id == true) ) { $sid = tep_session_name() . '=' . tep_session_id(); } elseif ( ($add_session_id == true) && (tep_not_null(SID)) ) { $sid = SID; } but a small problem: I get Parse error: parse error, expecting `')'' in /home/newage/public_html/includes/functions/html_output.php on line 274 on all pages and get Parse error: parse error, expecting `')'' in /home/newage/public_html/includes/functions/html_output.php on line 274 Warning: Cannot add header information - headers already sent by (output started at /home/newage/public_html/includes/functions/html_output.php:274) in /home/newage/public_html/includes/functions/general.php on line 23 on all pages that call the tep draw input function (line 274 html_output.php)... I have changed nothing in html_output.php except adding the ONE thing I mentioned above to stop the SID in URL with cookies. line 274 of html_output.php (what appears to be cause parse errors) is either a blank line or the line $field .= '>' . tep_parse_input_field_data($values[$i]['text'], array('"' => '"', ''' => ''', '<' => '<', '>' => '>')) . '</option> ... depending on what program you open it in... any help on this one? The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke
dreamscape Posted January 2, 2003 Author Posted January 2, 2003 well I think I figured the parse error out... since I am away from my PC, I was editing files and uploading files via Cpanel's file manager... it must not have been saving them as ASCII or something because when I re-uploaded the modified html_output.php through FTP, everything is ok now... so the code: // Add the session ID when moving from HTTP and HTTPS servers or when SID is defined if ( (ENABLE_SSL == true) && ($connection == 'SSL') && ($connection == 'NONSSL') && ($add_session_id == true) ) { $sid = tep_session_name() . '=' . tep_session_id(); } elseif ( ($add_session_id == true) && (tep_not_null(SID)) ) { $sid = SID; } seems to be doing the job... and I tested with cookies disabled and doesn't effect that in any way... so all I did was add ($connection == 'NONSSL') to the if statement... anyone see any problems with doing this? so now when cookied users browse the site, the only time they will a SID in the url is when they 1st follow a link (one of the dev said that the cookies for OSC are non-persistent so the SID must be propigated in the URL the 1st time???)... but I will be installing Ians SID killer, so that should take care of that and cookied users should NEVER see the SID in URL... hopefully this will greatly reduce the potential number of postings of links to my with SIDs in the URL. The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke
Harald Ponce de Leon Posted January 3, 2003 Posted January 3, 2003 You're nearly there :) Your method is not using correct logic though, even though it may work. Here is something I've quickly written, though needs more testing. The second line needs to be added to the tep_href_link function in includes/functions/general.php: function tep_href_link($page = '', .....) { static $http_host, $https_host; The function parameters above have been cut for readability purposes only - the "static" line is all that needs to be added to that function. Then replace the following: if ( (ENABLE_SSL == true ) && ($connection == 'SSL') && ($add_session_id == true) ) { $sid = tep_session_name() . '=' . tep_session_id(); } elseif ( ($add_session_id == true) && (tep_not_null(SID)) ) { $sid = SID; } with: if ($add_session_id == true) { if (tep_not_null(SID)) { $sid = SID; } elseif ( ($connection == 'SSL') && (ENABLE_SSL == true) ) { if (!isset($http_host) && !isset($https_host)) { $url = parse_url(HTTP_SERVER); $http_host = $url['host']; $url = parse_url(HTTPS_SERVER); $https_host = $url['host']; } if ($http_host != $https_host) { $sid = tep_session_name() . '=' . tep_session_id(); } } } That may or may not work as is - something that needs to be fine tuned is the "if ($http_host != $https_host)" check to only check the domain and not the full host value; for example: www1.server.com and www1.server.com will obviously match, however www1.server.com and ssl.server.com will obviously not match even though they are still valid for the cookie. , osCommerce
Harald Ponce de Leon Posted January 3, 2003 Posted January 3, 2003 The second line needs to be added to the tep_href_link function in includes/functions/general.php Sorry! That should be in includes/functions/html_output.php - not general.php. , osCommerce
dreamscape Posted January 3, 2003 Author Posted January 3, 2003 thanks much for help Harald... I will install and test this in a few days The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke
Harald Ponce de Leon Posted January 9, 2003 Posted January 9, 2003 Did you, or anyone else, end up testing it? It works fine for me when I navigate around in http mode for a few pages then go to https mode, however when I go straight to https mode by clicking on a https link on the first request (ie, http -> https) and navigate in a https session (my account -> new customer -> my account -> checkout, etc) the session ID remains in the url. I don't know if it's the logic failing or due to my localhost. The logic looks fine, but for some reason SID does not get unset which is unusal. , osCommerce
dreamscape Posted January 9, 2003 Author Posted January 9, 2003 Did you, or anyone else, end up testing it? It works fine for me when I navigate around in http mode for a few pages then go to https mode, however when I go straight to https mode by clicking on a https link on the first request (ie, http -> https) and navigate in a https session (my account -> new customer -> my account -> checkout, etc) the session ID remains in the url. I don't know if it's the logic failing or due to my localhost. The logic looks fine, but for some reason SID does not get unset which is unusal. oh yeah I have it installed... it seems to be working excellent... I don't remember getting what you have there (though I don't remember trying)... I'll do the same test at my site http://www.allthingsnewage.com The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke
dreamscape Posted January 9, 2003 Author Posted January 9, 2003 oh wait I cannot test. I have Ians SID killer in place which doesn't allow SIDs unless something is in the cart or user is logged in. The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.