Guest Posted July 18, 2008 Posted July 18, 2008 Hi, I know I have read this somewhere but can't find anything about it now BUT - - What is a 'sid' and what is it's importance? I am sure I read about the osCsid being removed or something but why would you do that and is it a specialist job? cheers in advance for any info at all on this.
BryceJr Posted July 19, 2008 Posted July 19, 2008 I know I have read this somewhere but can't find anything about it now BUT - -What is a 'sid' and what is it's importance? Introduction As communication between the client (browser) and server is made in a stateless mode, it is not possible to know who the client is and where they currently are on the website. The cookie protocol is an implementation used on websites that allow client tracking to occur. This allows for greater interactivity between client and server as the server is able to tell who the client is and where they currently are on the website. Without this form of implementation, shopping online or banking online would not be possible. The cookie protocol works by allowing the website to store a file on the clients computer which the client sends on every subsequent request made to the website. The website can store any text information required in the cookie file but must remain within a 4 kilobyte size limit. For privacy reasons, the cookie file stored by the website on the clients computer can only be read by the website that stored it. This is controlled by the url domain of the website. www.domain-one.com can only access cookie files which www.domain-one.com stored, not the cookie files which www.domain-two.com stored. For the website to be able to track the client, a session ID is uniquely created and stored as a cookie on the clients computer. This allows the website to track the client via the uniquely created session ID and to know if the client is in an authenticated state with the web application or not. As it is possible for the client to disable the use of cookies on their browser, a fall back mode is usually implemented on the web application to still be able to keep intact of the session between client and server. The fall back method involves appending the uniquely created session ID to all links on the website such as: http://www.domain-one.com/index.php?sessio...52r43tWEFw34352 Depending on the web application, having the session ID on the url can pose security and privacy related issues. If the client copies the complete url to share with a friend, that friend will share the session due to the session ID existing in the url. If the original client is authenticated with the web application, their friend will have access to the account information of the original client. Another example is if the clients requests goes through a proxy server - the proxy server logs all requests including the parameters of the url which will contain the session ID. It is possible for the proxy site administrator, or hacker, to gain access to the logs and to hijack the clients session with the web application simply by taking the logged session ID. The Security and Privacy Proposal was made to address these issues as they can be serious for an online shop web application where the customers privacy is top priority to secure. As security and privacy related issues vary from solution to solution, the realization of this proposal is made to be configurable in the following key issues: * Force Cookie Usage * Verifying SSL_SESSION_ID * Search Spider Engine Session Prevention * Session Regeneration For settings and explanation of the following key issues --> Click Here ...and is it a specialist job? No.
Guest Posted July 19, 2008 Posted July 19, 2008 For settings and explanation of the following key issues --> Click Here No. Thanks Bryce, That explains a lot -I need to do some reading etc and get my site tied down a bit more I think. Thanks for the advice, very much appreciated. Regards John
Guest Posted July 19, 2008 Posted July 19, 2008 For settings and explanation of the following key issues --> Click Here No. After doing the adjustments in the 'sessions' admin bit. Does it matter if the osCsid=whatever, is still showing on the address bar? Cheers John
Guest Posted July 19, 2008 Posted July 19, 2008 After doing the adjustments in the 'sessions' admin bit. Does it matter if the osCsid=whatever, is still showing on the address bar? Cheers John Just shut and re-opened my browser and now no osCsid= showing. So answered my own question I suppose..LOL Leaving this here so if anyone else has the same issue it might be of help to them. Thanks Bryce. Regards
♥Vger Posted July 19, 2008 Posted July 19, 2008 Does it matter if the osCsid=whatever, is still showing on the address bar? In my opinion it very much matters. If you have no ssl or shared ssl then your site will show the session id. If you have full ssl then you can use "Force Cookie Use" which puts the session id into a cookie on the users PC. As Spiders don't accept cookies they don't add session ids to search result pages. Whilst the site shows the session id you are reliant upon the "Prevent Spider Sessions" setting being set to True, and having a fully up to date spiders.txt file (which lists all of the spiders not allowed to create session ids). If a search engine spider does not exist in that list then it can create session ids, and it will add those session ids to its results pages. So if two or more people click on that same link, with the same session id, and one of them is logged in on your site then the others will end up in that persons My Account or Shopping Cart area. This can be disastrous for eCommerce website owners. That's why it's always best to have full ssl and to use Force Cookie Use. Vger
Guest Posted July 19, 2008 Posted July 19, 2008 In my opinion it very much matters. If you have no ssl or shared ssl then your site will show the session id. If you have full ssl then you can use "Force Cookie Use" which puts the session id into a cookie on the users PC. As Spiders don't accept cookies they don't add session ids to search result pages. Whilst the site shows the session id you are reliant upon the "Prevent Spider Sessions" setting being set to True, and having a fully up to date spiders.txt file (which lists all of the spiders not allowed to create session ids). If a search engine spider does not exist in that list then it can create session ids, and it will add those session ids to its results pages. So if two or more people click on that same link, with the same session id, and one of them is logged in on your site then the others will end up in that persons My Account or Shopping Cart area. This can be disastrous for eCommerce website owners. That's why it's always best to have full ssl and to use Force Cookie Use. Vger I have set the "Force Cookies Use" to 'True' and the osCid has now disappeared. I have my own SSL cert that I purchased but haven't got it implemented yet on my site yet. I do know that my hosting company will implement it for me if I tell them what page to start it at. I don't want the full site under 'https' as this would slow it down as I understand it. I do use PayPal as my 'Payment Method' so when it goes to them for processing, their SSL kicks in. BUT would it be a good idea to have my SSL Cert implemented at the start of the payment method, ie on the checkout_shipping.php page with the delivery info on it? Regards John
Jack_mcs Posted July 19, 2008 Posted July 19, 2008 I have set the "Force Cookies Use" to 'True' and the osCid has now disappeared.I have my own SSL cert that I purchased but haven't got it implemented yet on my site yet. I do know that my hosting company will implement it for me if I tell them what page to start it at. I don't want the full site under 'https' as this would slow it down as I understand it. I do use PayPal as my 'Payment Method' so when it goes to them for processing, their SSL kicks in. BUT would it be a good idea to have my SSL Cert implemented at the start of the payment method, ie on the checkout_shipping.php page with the delivery info on it? Regards John For a second opinion, you should leave Force Cookies off. It will cause a loss of customers and is not needed to remove the session ID's. A shared ssl works fine with it off and the session ID's won't show except for the first click or two. Any search engines that you are worried about being listed in will follow the spider rules. Just be sure to always have the prevent spider sessions setting set to true. Keep in mind that you are in business to make money. Why lose sales just because your shop isn't setup correctly? Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
♥Vger Posted July 19, 2008 Posted July 19, 2008 you should leave Force Cookies off. It will cause a loss of customers Jack, I know that you do a great job in keeping your Large spiders.txt contribution up to date - but how many shop owners regulalry update their spiders.txt file? In my experience very few even update the old and outdated default osCommerce spiders.txt file. Using Force Cookie Use may cost a website a very small number of customers. Not using it and having an outdated spiders.txt file can lead to a nightmare situation for shop owners. I've lost count of the number of times where spiders have created session ids (Google included) and added that session id to their search engine results, leading to some customers ending up in other customers accounts and orders ending up in the wrong account. And once those session ids exist in search engine results it takes forever for them to work their way out. I have my own SSL cert that I purchased but haven't got it implemented yet on my site yet You cannot use Force Cookie Use until it is implemented, and correctly implemenetd with the http and https_cookie_domain settings matching yoru full ssl certificate. Vger
Guest Posted July 19, 2008 Posted July 19, 2008 quote You cannot use Force Cookie Use until it is implemented, and correctly implemenetd with the http and https_cookie_domain settings matching yoru full ssl certificate. Vger I am totally lost now, is there anywhere I can find out how to correctly implement my http and https_cookie_domain settings matching my full ssl certificate? I don't understand this bit at all. I have to compliment you guys on your knowledge and willingness to share it before I do anything else. The help on these boards is tremendous, just wish I knew a bit more about it all. Regards John
♥Vger Posted July 19, 2008 Posted July 19, 2008 Your SSL Certificate will either have been issued to www.yourdomain.com or just to yourdomain.com When your ssl certificate has been successfully installed you need to edit the includes/configure.php file. For example (an install in the root of your web, with the ssl cert issued to www.yourdomain.com): define('HTTP_SERVER', 'http://www.yourdomain.com'); define('HTTPS_SERVER', 'https://www.yourdomain.com'); define('ENABLE_SSL', true); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com'); define('HTTPS_COOKIE_DOMAIN', 'www.yourdomain.com'); define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/'); define('DIR_WS_HTTP_CATALOG', '/'); define('DIR_WS_HTTPS_CATALOG', '/'); Vger
satish Posted July 19, 2008 Posted July 19, 2008 Steps and requirementto skip oscid: 1)No shared SSL allowed. 2)Set force cookies to true. 3)Set cookie path so cookie creation and its path are ok. Satish Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site. Check My About US For who am I and what My company does.
Guest Posted July 19, 2008 Posted July 19, 2008 Steps and requirementto skip oscid:1)No shared SSL allowed. 2)Set force cookies to true. 3)Set cookie path so cookie creation and its path are ok. Satish 3)Set cookie path so cookie creation and its path are ok. The rest I understand, this I am unsure of. This is how I have it set up at the moment. Session Directory /tmp Force Cookie Use True Check SSL Session ID True Check User Agent True Check IP Address False Prevent Spider Sessions True Recreate Session True You guys are making this one hell of an informative thread. lol Regards John
♥FWR Media Posted July 19, 2008 Posted July 19, 2008 This has already been answered by Jack_mcs and Vger Imo both are correct. I personally lean towards the "force cookie use" as there are no intangibles and also can be required by some merchant tests where they require never to see a querystring session. Jack is also ofc correct and some people cannot afford the "force cookie" option. I don't agree with the "lost sales" argument though as there are very few of the big shops (I've yet to find one) where you can buy online with cookies off. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
♥Vger Posted July 19, 2008 Posted July 19, 2008 ....and if your site has to become PCI (Payment Card Industry) Compliant the scanning companies are not happy about session ids being passed in the URL - for the reasons I've already stated. Vger
Jack_mcs Posted July 20, 2008 Posted July 20, 2008 Steps and requirementto skip oscid:1)No shared SSL allowed. 2)Set force cookies to true. 3)Set cookie path so cookie creation and its path are ok. Satish Maybe I'm missing the reasoning behind this but I have a number of sites where a shared ssl is used, force cookies is off and there aren't any SID's, except for the first few clicks. Why do you think this won't work with shared ssl's? Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
Jack_mcs Posted July 20, 2008 Posted July 20, 2008 This has already been answered by Jack_mcs and Vger Imo both are correct. I personally lean towards the "force cookie use" as there are no intangibles and also can be required by some merchant tests where they require never to see a querystring session. Jack is also ofc correct and some people cannot afford the "force cookie" option. I don't agree with the "lost sales" argument though as there are very few of the big shops (I've yet to find one) where you can buy online with cookies off. At one point in one of my personal shops, I had force cookies turned on. I received several message from customers asking why I was requiring that and that they would not purchase from me because of it. Since then, I have heard the same story from a number of my hosting members. Are those lost sales worth worrying about? If that was all, I would say no. But not eveyone will bother conacting a site so the actual number of losses can't be known. I just don't see the point of losing even one. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
Jack_mcs Posted July 20, 2008 Posted July 20, 2008 Jack, I know that you do a great job in keeping your Large spiders.txt contribution up to date - but how many shop owners regulalry update their spiders.txt file? In my experience very few even update the old and outdated default osCommerce spiders.txt file. Using Force Cookie Use may cost a website a very small number of customers. Not using it and having an outdated spiders.txt file can lead to a nightmare situation for shop owners. Yes, I agree that many shops, if not most, don't have an updated spiders file. But I've never had the problem of a site getting its SID's listed unless they didn't have prevent spiders turned on. Maybe I've just been lucky. If it is a problem for anyone and they don't want to set the shop up to protect against it, then, yes, they should turn on force cookies. It just seems like the wrong way to me. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
♥FWR Media Posted July 20, 2008 Posted July 20, 2008 Yes, I agree that many shops, if not most, don't have an updated spiders file. But I've never had the problem of a site getting its SID's listed unless they didn't have prevent spiders turned on. Maybe I've just been lucky. If it is a problem for anyone and they don't want to set the shop up to protect against it, then, yes, they should turn on force cookies. It just seems like the wrong way to me. Jack Have to say I agree, I think it is ridiculous for the PCI testers to refuse sites because of an initial osC that is not persistent. They also didn't wear the "Recreate session" argument. Jobsworths following an overstrict intractable policy. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
Guest Posted July 20, 2008 Posted July 20, 2008 This has been a cracking thread with lots of different views. I suppose it boils down to staying safe and keeping your customers safe. Seems to depend how much you want to compromise sales for security. Personally I want any customers to be able to take a smooth transition from looking to actually receiving their goods. If there are any hiccups on the way, I think that would lose customers. I know if a security cert came up or any sort of warning then I don't think I would purchase off that site. We all want to make as many sales as possible but I don't want to be scammed, have my site 'hacked' or have the customer feeling less than happy about buying. That's where I think a forum like this comes into it's own, the experienced helping the less knowledgeable to gain an understanding and then making an informed decision about what is right for them. I think a lot of us would end up losing a lot of money and faith in what we are doing and having no customers otherwise. I knew absolutely nothing about 'sid's' at the start of this thread, now I think I have enough of an understanding to make a decision on what would be right for me. Thanks to everyone for their input and HOPEFULLY this thread will come in handy for others with the same concerns. But, please, if you have something to add, don't stop yet! lol Cheers
satish Posted July 20, 2008 Posted July 20, 2008 Maybe I'm missing the reasoning behind this but I have a number of sites where a shared ssl is used, force cookies is off and there aren't any SID's, except for the first few clicks. Why do you think this won't work with shared ssl's? Jack 1)No shared SSL allowed. I mean to say if "Set force cookies to true" then "shared SSL is not allowed". The reason being with Shared SSL the url for SSL path and Non SSL are treated different sites as far as browsers are concerned.So the cookies cant be used in between. Satish Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site. Check My About US For who am I and what My company does.
satish Posted July 20, 2008 Posted July 20, 2008 3)Set cookie path so cookie creation and its path are ok.The rest I understand, this I am unsure of. This is how I have it set up at the moment. Session Directory /tmp Force Cookie Use True Check SSL Session ID True Check User Agent True Check IP Address False Prevent Spider Sessions True Recreate Session True You guys are making this one hell of an informative thread. lol Regards John 3)Set cookie path so cookie creation and its path are ok. I mean to say if the above 2 points are taken care but the http cookie values are wrong then cookies will not get created so we need t be sure that the values are right. Satish Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site. Check My About US For who am I and what My company does.
Jack_mcs Posted July 20, 2008 Posted July 20, 2008 1)No shared SSL allowed.I mean to say if "Set force cookies to true" then "shared SSL is not allowed". The reason being with Shared SSL the url for SSL path and Non SSL are treated different sites as far as browsers are concerned.So the cookies cant be used in between. Satish Oh, I see. Thanks for clarifying. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
tedbooks Posted June 10, 2009 Posted June 10, 2009 hi i just moved my site after a few years, and i am having a problem with osCsid. but only when i am on secure pages. i have my own ssl and i am on vps i do not use force cookies. i do not think i had this problem before. any idea as to what might be causing this. my
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.