g00dgirl Posted September 6, 2008 Posted September 6, 2008 I have been running a very customized version of 2.2 MS 1 for many years. There has been a lot of trouble with security and I had to manually make improvements. Now there is a new issue I need serious help with. I need to build all the session and cookie stuff into my MS 1 shops or I need some way to stop the problem where users click on google links that contain the session ID and then they can see other users accounts and order in the name of other people. I found the contribution Spider killer for MS 1 but it relies on register_globals to be on, which I have already modified on my shop to make it compatible with server settings. What would be the best way to get this problem fixed? google already has all the session ID links, so most important it would be to stop the impact it has on my busy shops, there are several problems per day where customers see other customers accounts and place orders in other peoples accounts.
Jack_mcs Posted September 6, 2008 Posted September 6, 2008 This thread may help. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
g00dgirl Posted September 6, 2008 Author Posted September 6, 2008 This thread may help. Jack Have already reviewed this thread along with all others I could find relating to the problem. Unfortunately the suggestions all apply to 2.2 MS2 and the only fix for MS 1 is not register_globals off compatible.
shartlesville Posted September 6, 2008 Posted September 6, 2008 Have already reviewed this thread along with all others I could find relating to the problem. Unfortunately the suggestions all apply to 2.2 MS2 and the only fix for MS 1 is not register_globals off compatible. Have you tried the Session Start Mod: http://addons.oscommerce.com/info/2913? I am running MS2 so I can't tell you if it will work, but you could try. It is a pretty quick install, not too complicated. You just have to upload two new files, make 2 changes in application_top, 1 in product_info, 1 in login, 1 in product_listing, and 1 in contact_us. Plus you need an updated robots.txt file at the root. And force cookie use should be set to false in admin. Also as a separate side note: If you have trouble with customers being directed to the "cookie usage" page because there is no session (SID killer?) change the part in application_top that says: // Shopping cart actions if (isset($HTTP_GET_VARS['action'])) { // redirect the customer to a friendly cookie-must-be-enabled page if cookies are disabled if ($session_started == false) { tep_redirect(tep_href_link(FILENAME_COOKIE_USAGE)); } to: // Shopping cart actions if (isset($HTTP_GET_VARS['action'])) { // redirect the customer to the login page if cookies are disabled if ($session_started == false) { tep_redirect(tep_href_link(FILENAME_LOGIN)); } It will direct the customers to login instead of telling them they don't have cookies enabled (because there is no session). Good luck! Let us know if it works for you. Blessings, Krisann
shartlesville Posted September 6, 2008 Posted September 6, 2008 Sorry, you said Spider Killer, I thought you meant Session ID Killer. You might try that one too, again I don't know if it will work for MS1 or not but you can check it out. :-) The link is here: http://addons.oscommerce.com/info/952 Good luck! K
g00dgirl Posted September 7, 2008 Author Posted September 7, 2008 shartlesville, I doubt your suggestion would work because my MS 1 version does not have all the "Session" menu in the Admin system, there is no setting to force cookie usage, I don't have all that in the first place. This is also why the other contributions don't work for my shop. Most contributions are also just to prevent the session IDs from being indexed by the bots, but mine already are indexed and I need a solution to mainly remove the session IDs from the links when people come via the search engine. I am looking for an installation guide to build all this session and cookie handling into an old MS 1 oscommerce that does not yet have it or alternatively a solution that would work for MS 1 and register_globals off to remove the session ID but only when the customer comes from a link that had one, I can't remove the session IDs completely cause in my version I can not turn them off easily because I am missing all the cookie functionality.
shartlesville Posted September 7, 2008 Posted September 7, 2008 I am looking for an installation guide to build all this session and cookie handling into an old MS 1 oscommerce that does not yet have it or alternatively a solution that would work for MS 1 and register_globals off to remove the session ID but only when the customer comes from a link that had one, I can't remove the session IDs completely cause in my version I can not turn them off easily because I am missing all the cookie functionality. I hope someone can help, but it sure sounds to me like it might be easier and more secure to create a fresh store with an updated version and drop in your database files. :blink: Blessings, Krisann
g00dgirl Posted September 7, 2008 Author Posted September 7, 2008 Krisann, this shop has been modified for 5 years, it has got so much custom functionality, it would not be easier to create a new shop, it is not just some contributions that could be reinstalled, it has been customized much more than that.
Jack_mcs Posted September 7, 2008 Posted September 7, 2008 Have already reviewed this thread along with all others I could find relating to the problem. Unfortunately the suggestions all apply to 2.2 MS2 and the only fix for MS 1 is not register_globals off compatible. The fix is to add code to the application_top file. That file exists in your version too so there's no reason why the fix wouldn't work. But understand that nothing you do will remove the links from google. All you can do is issue a 301 for those links, which is what the code does, and wait for google to remove them. But if someone uses one of the links to get to your site, the code will remove the session ID so that is not a problem. You should also set the Recreate Session option, if it is available in your version. And, finally, Google also has an option on its site where you can requests links to be removed. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
g00dgirl Posted September 7, 2008 Author Posted September 7, 2008 The fix is to add code to the application_top file. That file exists in your version too so there's no reason why the fix wouldn't work. But understand that nothing you do will remove the links from google. All you can do is issue a 301 for those links, which is what the code does, and wait for google to remove them. But if someone uses one of the links to get to your site, the code will remove the session ID so that is not a problem. You should also set the Recreate Session option, if it is available in your version. And, finally, Google also has an option on its site where you can requests links to be removed. Jack I am already using mod_rewrite to stop the search engines from visiting any links again that contain the osCsid. Which part of the code added to the application_top file would remove the osCsid and then still allow a new one to be created for the users session? I don't have Recreate Session? And I also don't have $spider_flag.
Jack_mcs Posted September 8, 2008 Posted September 8, 2008 I am already using mod_rewrite to stop the search engines from visiting any links again that contain the osCsid. Which part of the code added to the application_top file would remove the osCsid and then still allow a new one to be created for the users session? I don't have Recreate Session? And I also don't have $spider_flag. The code is in that thread. You just have to copy it. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
g00dgirl Posted September 8, 2008 Author Posted September 8, 2008 The code is in that thread. You just have to copy it. Jack I can't use most of it, I looked at the code, most of it is doing the 302 stuff that I already do with mod_rewrite, the rest relies on variables I don't have, I can't find the part that would remove just the osCsid and then re-create a new session, I couldn't get it to work so far.
Jack_mcs Posted September 9, 2008 Posted September 9, 2008 I don't have an MS1 shop any longer so I can't compare the code but the spiders code from MS2 can be copied and used in an MS1 shop. There used to be either a contribution or a bug report that explained how to do that. I don't have a link to either though, if they still exist. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.