osCid

[rothjoseph]

I have looked around for a little bit and I have been unable to locate a contribution that completely removes the osCid from the URL. I do not want anyone to possibly be able to make a link to my store that would have that in the URL.

 

Is there a quick way to make it store the osCid inside of a cookie and never allow it in the URL. I tried to set the setting inside of the admin pane to force cookies, but it always would redirect me to the page where it says my browser doesn't support cookies even though I know that my browser has cookies turned on.

 

I have added two different tweaks to the normal registration system. The first is that I added in a username field. This way you can choose your username and log in with that instead of the email address. The second is that you can log in from any page. I have two inputs in the header and a button that sends the form data to the login page. This gets interpreted by the login system just like you filled out the form on the login page so I don't think that it should play a major difference to my setup.

 

I also installed a contribution that allows you to stay logged in between sessions if you check a box. I think that it was called autologin or something similar to that. I have made so many different changes to my site that I don't know exactly which contributions I have installed.

 

I'm not looking to install seo urls if that is what people are going to recommend. I tried to install ultimate seo urls and ran into a few different problems. I have made so many changes that it didn't completely work and I realize that I don't care if my url doesn't have the title. If you look at youtube it simply includes the movies id in the url and they seem to be working quite well.

 

My goal is to remove the osCid so that I don't run into any problems of people posting links to my site with that included.

 

Thanks for all your help

[lindsayanng]

I have been forcing cookies on my site (i HAVE to because of apassword protect addon i did)

 

You should check mysite and see if you get the force cookies on my site. I have checked my site on both a STOCK IE install without changing securities from an out of box cpu, and two firefox computers

 

my site

 

if that still gives you the cookie error, you should double and triple check your browser.

 

p.s. you should keep a notebook beside your computer and write down ALL the contributions (not just the name but the contribution number) in there and list the files that it changes or ads so you know incase you need to uninstall.

[rothjoseph]

Hmm...

 

I was able to successfully create an account on your site without any problems.

 

So it isn't my browser.

 

I probably should have kept track of all the contributions, but it is too late now. I also did so many changes myself and added different pages that it would be really hard to keep track. I have about 30 different backups at various stages that I labeled with the date. I basically made a backup before each contribution that I installed.

[rothjoseph]

It might help if you try to login to my store and see what happens.

 

It is still a work in progress so it may look pretty strange, but it might give you a better idea of what is happening.

 

It is located at www.gangsterjoe.com

[lindsayanng]

well.. START NOW!! always have a little journal or book with all your notes in it.. ask around, i'm sure LOTS of people do that.

 

You might want to download all of the instructions for the contributions you can remember you installed that you are no longer using and work backwards with them. its tedious, but thats what you really SHOULD do.

[rothjoseph]

I did create a folder on my computer that has every single contribution that I downloaded. I didn't end up using all of them so I will have to sift through them to see which ones I didn't implement. But I have a way of tracking down the ones that I did install.

[rothjoseph]

One contribution that I did install that might have an effect on the SID's is SID KILLER 2.0

 

It makes it so that it only creates a SID if you login or place something inside of a cart.

[rothjoseph]

Well, I have to be going pretty soon so I will not be able to reply immediately.

 

What I want to know is... If force session cookies is working correctly, does that do what I want it to do? In other words, if I can figure out what I changed around that might have messed with some of those settings, will it no longer display the osCid inside the URL?

[lindsayanng]

yes. It does not EVER use an oscid at all. it just uses the cookie in the browser. Click through my site.. let me what it does.. You can even leave the store site and go to the profile site that is .html pages and the cart contents will still be in there.. with oscid, you can loose cart contents if you go to pages that do not have the tep_h ref links, ect.

[rothjoseph]

Well I made some changes to my sessions.php file to try to force cookies manually. I succeeded in making it so that you can no longer view any page on my site. The php error log tells me that I can't redeclare session_name() on line 240 of sessions.php.

[lindsayanng]

put it back to the way it was and show my your cookie paths.. i will compare them to mine

[rothjoseph]

Hmm, I just looked at the copy of sessions.php that I have and compared it with the original included in the standard osc install. It is completely different. In fact my sessions.php says copyright 2003 at the top and the generic install says 2008. I tried replacing my sessions.php with the standard and I don't notice any adverse effects, but it still won't let me log in.

[rothjoseph]

From configure.php

define('HTTP_SERVER', 'http://www.gangsterjoe.com');

define('HTTPS_SERVER', 'https://www.gangsterjoe.com');

define('ENABLE_SSL', false);

define('HTTP_COOKIE_DOMAIN', 'localhost');

define('HTTPS_COOKIE_DOMAIN', 'localhost');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

 

What is weird is that I can successfully store cookies for the username and password so that you can log in between sessions, but for some reason I can't store the cookie for the osCid.

[lindsayanng]

does it do this in the admin side?? just curious..

 

You need to change this:

define('HTTP_COOKIE_DOMAIN', 'localhost');
define('HTTPS_COOKIE_DOMAIN', 'localhost');

 

to this:

define('HTTP_COOKIE_DOMAIN', 'yourdomainname.com');
define('HTTPS_COOKIE_DOMAIN', 'yourdomainname.com');

[rothjoseph]

No, it doesn't do this on the admin side. And I looked at the cookies on my computer and I have one called osCAdminID.

 

I looked at my last backup and it had the normal sessions.php file. I have no clue where I pulled the one from that I thought was on my server. Maybe I pulled the sessions.php file from a different site that I have. It might have been the zencart sessions.php file.

 

I tried changing my configure file to say http://www.gangsterjoe.com for the cookie domain and it didn't change anything.

[lindsayanng]

NO.. i said make the cookie domain just gansterjoe.com nothing else.. no http

 

do exactly what i posted, just put JUST your domain in there.

[rothjoseph]

Hmm...

 

That didn't work either.

 

I'm grateful for all of your help. Even though it might not look like we have accomplished anything right now. We are definitely moving in the right direction.

[rothjoseph]

I located the two spots where it can send you to that page. One is right near the top of the login.php file and the other is in application_top.php. I simply commented out the lines so you can't be sent to that page. Unfortunately it will now let me login, but the instant that I log in, it logs me out because it was unable to store the session information.

 

This is actually a positive step because now I know that the variable $session_started is set to false.

[lindsayanng]

you can not comment out the lines that call for the cookie because your website NEEDS that cookie when you force them. We need to figure out why it is not reading the cookie..

 

So you do NOT have an SSL certificate, you set the above configure.php file to what i told you it was (NOT the admin/configure right??)

[rothjoseph]

I DO have an SSL certificate, but I am currently not using it. I will worry about getting that working correctly after I get this issue with the osCid fixed. I haven't implemented the payment system yet either, but those are next on my list of things to do.

 

I did set it in the normal configure.php file. I checked inside the admin/includes/configure to see if it even had a spot for cookies, and it did not. I am confused at how the admin pane can store sessions to my computer and the normal spot can't.

[rothjoseph]

Here is some information from phpinfo() that might be useful

 

session

Session Support enabled

Registered save handlers files user mm sqlite

Registered serializer handlers php php_binary wddx

 

Directive Local Value Master Value

session.auto_start Off Off

session.bug_compat_42 On On

session.bug_compat_warn Off On

session.cache_expire 180 180

session.cache_limiter nocache nocache

session.cookie_domain no value no value

session.cookie_httponly Off Off

session.cookie_lifetime 0 0

session.cookie_path /admin/ /

session.cookie_secure Off Off

session.entropy_file no value no value

session.entropy_length 0 0

session.gc_divisor 100 100

session.gc_maxlifetime 1440 1440

session.gc_probability 1 1

session.hash_bits_per_character 4 4

session.hash_function 0 0

session.name osCAdminID PHPSESSID

session.referer_check no value no value

session.save_handler user files

session.save_path /tmp no value

session.serialize_handler php php

session.use_cookies On On

session.use_only_cookies Off Off

session.use_trans_sid 0 0

[rothjoseph]

Good news.

 

I deleted the part of tep_setcookie() in general.php that appends the session domain with the cookie. This made it so that it could actually store the cookie named cookie_test onto my computer. Now I need to figure out how to get the osCid cookie to be stored on my computer.

[rothjoseph]

Ok, more positive news.

 

If I select the remember me feature it will keep me logged in because it knows how to properly store that session variable. I changed around the login so that no matter what it stores your username and a hashed password in cookies on your computer. This keeps you logged in. I changed it so that the cookies will expire after a day. So you will have to log in again every day if you don't select remember me.

 

This worked perfectly until I tried to add something to my cart. Then I realized that each time I reload a page it is reloging me in and creating a session id in the background that I can't see. In other words it didn't keep the item in the cart because it now thinks of me under a different session_id.

 

I have two choices from here. I can figure out how to make it so that instead of storing stuff in the database under a sessionId it stores it under a username. I want to require people to log in anyways before they make a purchase. The problem with this is that it does not allow for a guest shopping cart because they will need a username to keep items in their cart.

 

My other choice is to do more research for where it actually stores the cookie for the session_id and figure out why it can store the cookie test and not the actual id. This is more desirable because it would let guest keep a shopping cart and would be more natural in regards to the standard osc install.

[lindsayanng]

you should uninstall that contribution. I might guess that that is the cause of ALL of your issues.

[rothjoseph]

Pwnage.

 

I found the last place that was using the cookie_domain and removed that. Apparently it is some issue with what I have in configure.php. Apparently I don't know what I should set the cookie_domain to. It all works perfectly now that I removed all references to cookie_domain. It is still able to store cookies on my browser, so I think I'm fine.