Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

osCsid


Guest

Recommended Posts

Hi,

 

I know I have read this somewhere but can't find anything about it now BUT - -

What is a 'sid' and what is it's importance?

I am sure I read about the osCsid being removed or something but why would you do that and is it a specialist job?

 

cheers

in advance for any info at all on this.

Link to comment
Share on other sites

I know I have read this somewhere but can't find anything about it now BUT - -

What is a 'sid' and what is it's importance?

Introduction

 

As communication between the client (browser) and server is made in a stateless mode, it is not possible to know who the client is and where they currently are on the website.

 

The cookie protocol is an implementation used on websites that allow client tracking to occur. This allows for greater interactivity between client and server as the server is able to tell who the client is and where they currently are on the website.

 

Without this form of implementation, shopping online or banking online would not be possible.

 

The cookie protocol works by allowing the website to store a file on the clients computer which the client sends on every subsequent request made to the website. The website can store any text information required in the cookie file but must remain within a 4 kilobyte size limit.

 

For privacy reasons, the cookie file stored by the website on the clients computer can only be read by the website that stored it. This is controlled by the url domain of the website. www.domain-one.com can only access cookie files which www.domain-one.com stored, not the cookie files which www.domain-two.com stored.

 

For the website to be able to track the client, a session ID is uniquely created and stored as a cookie on the clients computer.

 

This allows the website to track the client via the uniquely created session ID and to know if the client is in an authenticated state with the web application or not.

 

As it is possible for the client to disable the use of cookies on their browser, a fall back mode is usually implemented on the web application to still be able to keep intact of the session between client and server.

 

The fall back method involves appending the uniquely created session ID to all links on the website such as:

 

http://www.domain-one.com/index.php?sessio...52r43tWEFw34352

 

Depending on the web application, having the session ID on the url can pose security and privacy related issues.

 

If the client copies the complete url to share with a friend, that friend will share the session due to the session ID existing in the url. If the original client is authenticated with the web application, their friend will have access to the account information of the original client.

 

Another example is if the clients requests goes through a proxy server - the proxy server logs all requests including the parameters of the url which will contain the session ID. It is possible for the proxy site administrator, or hacker, to gain access to the logs and to hijack the clients session with the web application simply by taking the logged session ID.

 

The Security and Privacy Proposal was made to address these issues as they can be serious for an online shop web application where the customers privacy is top priority to secure.

 

As security and privacy related issues vary from solution to solution, the realization of this proposal is made to be configurable in the following key issues:

 

* Force Cookie Usage

* Verifying SSL_SESSION_ID

* Search Spider Engine Session Prevention

* Session Regeneration

For settings and explanation of the following key issues --> Click Here

...and is it a specialist job?
No.
Link to comment
Share on other sites

For settings and explanation of the following key issues --> Click Here

No.

 

Thanks Bryce,

 

That explains a lot -I need to do some reading etc and get my site tied down a bit more I think.

 

Thanks for the advice, very much appreciated.

 

Regards

John

Link to comment
Share on other sites

For settings and explanation of the following key issues --> Click Here

No.

 

After doing the adjustments in the 'sessions' admin bit. Does it matter if the osCsid=whatever, is still showing on the address bar?

 

Cheers

John

Link to comment
Share on other sites

After doing the adjustments in the 'sessions' admin bit. Does it matter if the osCsid=whatever, is still showing on the address bar?

 

Cheers

John

 

 

Just shut and re-opened my browser and now no osCsid= showing.

So answered my own question I suppose..LOL

 

Leaving this here so if anyone else has the same issue it might be of help to them.

 

Thanks Bryce.

 

Regards

Link to comment
Share on other sites

Does it matter if the osCsid=whatever, is still showing on the address bar?

 

In my opinion it very much matters.

 

If you have no ssl or shared ssl then your site will show the session id. If you have full ssl then you can use "Force Cookie Use" which puts the session id into a cookie on the users PC. As Spiders don't accept cookies they don't add session ids to search result pages.

 

Whilst the site shows the session id you are reliant upon the "Prevent Spider Sessions" setting being set to True, and having a fully up to date spiders.txt file (which lists all of the spiders not allowed to create session ids).

 

If a search engine spider does not exist in that list then it can create session ids, and it will add those session ids to its results pages. So if two or more people click on that same link, with the same session id, and one of them is logged in on your site then the others will end up in that persons My Account or Shopping Cart area. This can be disastrous for eCommerce website owners.

 

That's why it's always best to have full ssl and to use Force Cookie Use.

 

Vger

Link to comment
Share on other sites

In my opinion it very much matters.

 

If you have no ssl or shared ssl then your site will show the session id. If you have full ssl then you can use "Force Cookie Use" which puts the session id into a cookie on the users PC. As Spiders don't accept cookies they don't add session ids to search result pages.

 

Whilst the site shows the session id you are reliant upon the "Prevent Spider Sessions" setting being set to True, and having a fully up to date spiders.txt file (which lists all of the spiders not allowed to create session ids).

 

If a search engine spider does not exist in that list then it can create session ids, and it will add those session ids to its results pages. So if two or more people click on that same link, with the same session id, and one of them is logged in on your site then the others will end up in that persons My Account or Shopping Cart area. This can be disastrous for eCommerce website owners.

 

That's why it's always best to have full ssl and to use Force Cookie Use.

 

Vger

 

I have set the "Force Cookies Use" to 'True' and the osCid has now disappeared.

I have my own SSL cert that I purchased but haven't got it implemented yet on my site yet. I do know that my hosting company will implement it for me if I tell them what page to start it at. I don't want the full site under 'https' as this would slow it down as I understand it.

I do use PayPal as my 'Payment Method' so when it goes to them for processing, their SSL kicks in. BUT would it be a good idea to have my SSL Cert implemented at the start of the payment method, ie on the checkout_shipping.php page with the delivery info on it?

 

Regards

John

Link to comment
Share on other sites

I have set the "Force Cookies Use" to 'True' and the osCid has now disappeared.

I have my own SSL cert that I purchased but haven't got it implemented yet on my site yet. I do know that my hosting company will implement it for me if I tell them what page to start it at. I don't want the full site under 'https' as this would slow it down as I understand it.

I do use PayPal as my 'Payment Method' so when it goes to them for processing, their SSL kicks in. BUT would it be a good idea to have my SSL Cert implemented at the start of the payment method, ie on the checkout_shipping.php page with the delivery info on it?

 

Regards

John

For a second opinion, you should leave Force Cookies off. It will cause a loss of customers and is not needed to remove the session ID's. A shared ssl works fine with it off and the session ID's won't show except for the first click or two. Any search engines that you are worried about being listed in will follow the spider rules. Just be sure to always have the prevent spider sessions setting set to true. Keep in mind that you are in business to make money. Why lose sales just because your shop isn't setup correctly?

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

you should leave Force Cookies off. It will cause a loss of customers

 

Jack, I know that you do a great job in keeping your Large spiders.txt contribution up to date - but how many shop owners regulalry update their spiders.txt file? In my experience very few even update the old and outdated default osCommerce spiders.txt file.

 

Using Force Cookie Use may cost a website a very small number of customers. Not using it and having an outdated spiders.txt file can lead to a nightmare situation for shop owners.

 

I've lost count of the number of times where spiders have created session ids (Google included) and added that session id to their search engine results, leading to some customers ending up in other customers accounts and orders ending up in the wrong account. And once those session ids exist in search engine results it takes forever for them to work their way out.

 

I have my own SSL cert that I purchased but haven't got it implemented yet on my site yet

 

You cannot use Force Cookie Use until it is implemented, and correctly implemenetd with the http and https_cookie_domain settings matching yoru full ssl certificate.

 

Vger

Link to comment
Share on other sites

quote You cannot use Force Cookie Use until it is implemented, and correctly implemenetd with the http and https_cookie_domain settings matching yoru full ssl certificate.

 

Vger

 

I am totally lost now, is there anywhere I can find out how to correctly implement my http and https_cookie_domain settings matching my full ssl certificate?

I don't understand this bit at all.

 

I have to compliment you guys on your knowledge and willingness to share it before I do anything else.

The help on these boards is tremendous, just wish I knew a bit more about it all.

 

Regards

John

Link to comment
Share on other sites

Your SSL Certificate will either have been issued to www.yourdomain.com or just to yourdomain.com

 

When your ssl certificate has been successfully installed you need to edit the includes/configure.php file. For example (an install in the root of your web, with the ssl cert issued to www.yourdomain.com):

 

define('HTTP_SERVER', 'http://www.yourdomain.com');

define('HTTPS_SERVER', 'https://www.yourdomain.com');

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');

define('HTTPS_COOKIE_DOMAIN', 'www.yourdomain.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

 

Vger

Link to comment
Share on other sites

Steps and requirementto skip oscid:

1)No shared SSL allowed.

2)Set force cookies to true.

3)Set cookie path so cookie creation and its path are ok.

 

 

 

Satish

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

Steps and requirementto skip oscid:

1)No shared SSL allowed.

2)Set force cookies to true.

3)Set cookie path so cookie creation and its path are ok.

 

 

 

Satish

 

3)Set cookie path so cookie creation and its path are ok.

The rest I understand, this I am unsure of.

This is how I have it set up at the moment.

 

Session Directory /tmp

Force Cookie Use True

Check SSL Session ID True

Check User Agent True

Check IP Address False

Prevent Spider Sessions True

Recreate Session True

 

You guys are making this one hell of an informative thread. lol

 

Regards

John

Link to comment
Share on other sites

This has already been answered by Jack_mcs and Vger

 

Imo both are correct.

 

I personally lean towards the "force cookie use" as there are no intangibles and also can be required by some merchant tests where they require never to see a querystring session.

 

Jack is also ofc correct and some people cannot afford the "force cookie" option. I don't agree with the "lost sales" argument though as there are very few of the big shops (I've yet to find one) where you can buy online with cookies off.

Link to comment
Share on other sites

....and if your site has to become PCI (Payment Card Industry) Compliant the scanning companies are not happy about session ids being passed in the URL - for the reasons I've already stated.

 

Vger

Link to comment
Share on other sites

Steps and requirementto skip oscid:

1)No shared SSL allowed.

2)Set force cookies to true.

3)Set cookie path so cookie creation and its path are ok.

 

Satish

Maybe I'm missing the reasoning behind this but I have a number of sites where a shared ssl is used, force cookies is off and there aren't any SID's, except for the first few clicks. Why do you think this won't work with shared ssl's?

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

This has already been answered by Jack_mcs and Vger

 

Imo both are correct.

 

I personally lean towards the "force cookie use" as there are no intangibles and also can be required by some merchant tests where they require never to see a querystring session.

 

Jack is also ofc correct and some people cannot afford the "force cookie" option. I don't agree with the "lost sales" argument though as there are very few of the big shops (I've yet to find one) where you can buy online with cookies off.

At one point in one of my personal shops, I had force cookies turned on. I received several message from customers asking why I was requiring that and that they would not purchase from me because of it. Since then, I have heard the same story from a number of my hosting members. Are those lost sales worth worrying about? If that was all, I would say no. But not eveyone will bother conacting a site so the actual number of losses can't be known. I just don't see the point of losing even one.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Jack, I know that you do a great job in keeping your Large spiders.txt contribution up to date - but how many shop owners regulalry update their spiders.txt file? In my experience very few even update the old and outdated default osCommerce spiders.txt file.

 

Using Force Cookie Use may cost a website a very small number of customers. Not using it and having an outdated spiders.txt file can lead to a nightmare situation for shop owners.

Yes, I agree that many shops, if not most, don't have an updated spiders file. But I've never had the problem of a site getting its SID's listed unless they didn't have prevent spiders turned on. Maybe I've just been lucky. If it is a problem for anyone and they don't want to set the shop up to protect against it, then, yes, they should turn on force cookies. It just seems like the wrong way to me.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Yes, I agree that many shops, if not most, don't have an updated spiders file. But I've never had the problem of a site getting its SID's listed unless they didn't have prevent spiders turned on. Maybe I've just been lucky. If it is a problem for anyone and they don't want to set the shop up to protect against it, then, yes, they should turn on force cookies. It just seems like the wrong way to me.

 

Jack

 

Have to say I agree, I think it is ridiculous for the PCI testers to refuse sites because of an initial osC that is not persistent.

 

They also didn't wear the "Recreate session" argument.

 

Jobsworths following an overstrict intractable policy.

Link to comment
Share on other sites

This has been a cracking thread with lots of different views.

 

I suppose it boils down to staying safe and keeping your customers safe. Seems to depend how much you want to compromise sales for security.

Personally I want any customers to be able to take a smooth transition from looking to actually receiving their goods. If there are any hiccups on the way, I think that would lose customers.

I know if a security cert came up or any sort of warning then I don't think I would purchase off that site.

 

We all want to make as many sales as possible but I don't want to be scammed, have my site 'hacked' or have the customer feeling less than happy about buying.

That's where I think a forum like this comes into it's own, the experienced helping the less knowledgeable to gain an understanding and then making an informed decision about what is right for them.

I think a lot of us would end up losing a lot of money and faith in what we are doing and having no customers otherwise.

 

I knew absolutely nothing about 'sid's' at the start of this thread, now I think I have enough of an understanding to make a decision on what would be right for me.

 

Thanks to everyone for their input and HOPEFULLY this thread will come in handy for others with the same concerns.

But, please, if you have something to add, don't stop yet! lol

 

Cheers

Link to comment
Share on other sites

Maybe I'm missing the reasoning behind this but I have a number of sites where a shared ssl is used, force cookies is off and there aren't any SID's, except for the first few clicks. Why do you think this won't work with shared ssl's?

 

Jack

 

1)No shared SSL allowed.

I mean to say if "Set force cookies to true" then "shared SSL is not allowed".

 

The reason being with Shared SSL the url for SSL path and Non SSL are treated different sites as far as browsers are concerned.So the cookies cant be used in between.

 

Satish

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

3)Set cookie path so cookie creation and its path are ok.

The rest I understand, this I am unsure of.

This is how I have it set up at the moment.

 

Session Directory /tmp

Force Cookie Use True

Check SSL Session ID True

Check User Agent True

Check IP Address False

Prevent Spider Sessions True

Recreate Session True

 

You guys are making this one hell of an informative thread. lol

 

Regards

John

3)Set cookie path so cookie creation and its path are ok.

 

I mean to say if the above 2 points are taken care but the http cookie values are wrong then cookies will not get created so we need t be sure that the values are right.

Satish

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

1)No shared SSL allowed.

I mean to say if "Set force cookies to true" then "shared SSL is not allowed".

 

The reason being with Shared SSL the url for SSL path and Non SSL are treated different sites as far as browsers are concerned.So the cookies cant be used in between.

 

Satish

Oh, I see. Thanks for clarifying.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 10 months later...

hi

i just moved my site after a few years, and i am having a problem with osCsid. but only when i am on secure pages.

i have my own ssl and i am on vps i do not use force cookies.

i do not think i had this problem before. any idea as to what might be causing this.

my

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...