SometimesConfused Posted May 21, 2009 Share Posted May 21, 2009 I'm panicking here... One of my clients has an osCommerce shopping cart with some modifications (the most recent being the Header Tags SEO and Ultimate SEO URLs). Customer "A" placed an order yesterday. Today, another customer placed an order under Customer A's account. The "Customer" and "Shipping" addresses are the same as Customer A, but the "Bill to" details are that of Customer B. The credit card information was also different than Customer A. Customer B does not have an account. My client spoke with Customer A and he said he did not place the order. I looked at the Who's Online feature and see that it appears as if Customer A is still online, but when I looked up the IP, it seems to be GoogleBot. More details: The two customers are in different states and don't know each other, so it's not like one forgot to log out and the other used his computer. The credit card numbers are different, so I don't think it's someone trying to use Customer A's credit card. Who's Online shows several instances of GoogleBot's IP address. Most are logged in as Guest, but one is logged in as if it's Customer A. There is a note in the second order (of the Customer A and B merge) that doesn't seem to be a spambot or anything (it's relevant to the order). So, I don't know if it has something to do with the session ID (just found a contribution to remove that for search engines, but haven't installed it yet), if it's some funky merging of accounts, if they both tried to create accounts at the exact same time (I know, I'm reaching), if someone hacked into the database, or if it's a glitch with GoogleBot just happening to be logged into Customer A's account somehow. Please help! I'm freaking out!!! Link to comment Share on other sites More sharing options...
spooks Posted May 21, 2009 Share Posted May 21, 2009 You must ensure you don`t loose osCsid http://www.oscommerce.com/forums/index.php?sho...c=330479&hl Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
SometimesConfused Posted May 21, 2009 Author Share Posted May 21, 2009 You must ensure you don`t loose osCsid http://www.oscommerce.com/forums/index.php?sho...c=330479&hl First of all, thank you so much for your quick response! So, if I install the SID killer contribution, should that solve the problem? Will that work with the Ultimate SEO URLs contribution? Link to comment Share on other sites More sharing options...
♥FWR Media Posted May 21, 2009 Share Posted May 21, 2009 First of all, thank you so much for your quick response! So, if I install the SID killer contribution, should that solve the problem? Will that work with the Ultimate SEO URLs contribution? SID killer is a total no no .. do not install it. The usual cause of this is that your sessions are persisting due to incorrect settings. You can tell because the way osCommerce should work is that on the first visit to the site you should see an osCsid (hovering links etc) if you click again and hover the links the sid should be gone .. if not your settings are wrong. Are you willing to put up or pm your website address? Ensure you have set prevent spider session to true in admin->sessions and that spiders.txt is up to date. Ensure that recreate session is set to true in admin .. it is standard practise these days to recreate the session id whenever a user changes state (e.g. logs in). If worst comes to worst and you have a "proper" SSL certificate where the certificate address matches your site .. e.g. cert issued to www.mysite.com .. site access via www.mysite.com Then you can force cookie use as a last resort which ensures safety (albeit at a small cost). Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
SometimesConfused Posted May 21, 2009 Author Share Posted May 21, 2009 SID killer is a total no no .. do not install it. The usual cause of this is that your sessions are persisting due to incorrect settings. You can tell because the way osCommerce should work is that on the first visit to the site you should see an osCsid (hovering links etc) if you click again and hover the links the sid should be gone .. if not your settings are wrong. Are you willing to put up or pm your website address? Ensure you have set prevent spider session to true in admin->sessions and that spiders.txt is up to date. Ensure that recreate session is set to true in admin .. it is standard practise these days to recreate the session id whenever a user changes state (e.g. logs in). If worst comes to worst and you have a "proper" SSL certificate where the certificate address matches your site .. e.g. cert issued to www.mysite.com .. site access via www.mysite.com Then you can force cookie use as a last resort which ensures safety (albeit at a small cost). Thank you! So, if I prevent spider sessions, will that prevent them from spidering the site or just prevent them from actually having session IDs? You know, I don't actually see the session IDs added onto the urls, but we have the categories hidden and mostly use the search box and some other links to static pages. I'll PM you the site in a sec! Link to comment Share on other sites More sharing options...
SometimesConfused Posted May 21, 2009 Author Share Posted May 21, 2009 You must ensure you don`t loose osCsid http://www.oscommerce.com/forums/index.php?sho...c=330479&hl Sorry Sam, I wasn't sure if you'd check back on this topic so that's why I sent you a PM. Thanks again! Here's what you said for other people's reference: "No, infact if you simply enable Prevent Spider Sessions in admin that will do the same job. You must go over all your links & check they are correctly done." Link to comment Share on other sites More sharing options...
♥FWR Media Posted May 21, 2009 Share Posted May 21, 2009 Re: your pm * Session Directory (ignore should be MySQL) * Force Cookie Use false * Check SSL Session ID false * Check User Agent false * Check IP Address false * Prevent Spider Sessions true (plus update spiders.txt) * Recreate Session true As much as you need to do this it is not your main problem .. the standard osCommerce links are showing the sid but ALL of the "clever" images are NOT therefore a customer cannot maintain a session. Sessions in osCommerce are dictated by the use of function tep_href_link() which has to be used religiously for all links. It is a common issue where "web designers" who have no knowledge outside of basic html and flash consistently break sites through lack of knowledge (not that I know who did yours). Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
SometimesConfused Posted May 21, 2009 Author Share Posted May 21, 2009 Re: your pm * Session Directory (ignore should be MySQL) * Force Cookie Use false * Check SSL Session ID false * Check User Agent false * Check IP Address false * Prevent Spider Sessions true (plus update spiders.txt) * Recreate Session true As much as you need to do this it is not your main problem .. the standard osCommerce links are showing the sid but ALL of the "clever" images are NOT therefore a customer cannot maintain a session. Sessions in osCommerce are dictated by the use of function tep_href_link() which has to be used religiously for all links. It is a common issue where "web designers" who have no knowledge outside of basic html and flash consistently break sites through lack of knowledge (not that I know who did yours). Thanks, I'm the "web designer", but I don't have a lot of php skills (obviously). :( The links in there weren't to actual products, just static pages. Does that matter for the sessions? We'll be adding the categories back in which should generate the id. Link to comment Share on other sites More sharing options...
spooks Posted May 21, 2009 Share Posted May 21, 2009 If u read through the thread I detailed u will see each & every link must keep the seesion, regardless of purpose, otherwise u get your issue. The thread details all the conditions that can create problems. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
SometimesConfused Posted May 22, 2009 Author Share Posted May 22, 2009 If u read through the thread I detailed u will see each & every link must keep the seesion, regardless of purpose, otherwise u get your issue. The thread details all the conditions that can create problems. Thank you again, Sam! I've changed all the links I found to the php coded versions instead! Link to comment Share on other sites More sharing options...
trier Posted May 22, 2009 Share Posted May 22, 2009 Hi, The possibility of customers picking up the details/shopping cart information of another customer are quite frightening. Is there any way to prove/test the integrity of the oscid (probably on a test site?)? I’d also really appreciate any comments as to whether or not the situations described below are as expected. The following appears to the situation my live and test sites (all have Recreate Session = true)):- Live Site: ENABLE_SSL = false (config.php) FORCE COOKIE USE = true (in admin) The oscid is occasionally shown in the URL, normally on the 2nd click, disappears on subsequent clicks. Test Site: ENABLE_SSL = false FORCE COOKIE USE = false I’ve never noticed the oscid in the URL. Test Site: ENABLE_SSL = true (shared SSL) FORCE COOKIE USE = false The oscid is shown in the URL on SSL pages and the first NONSSL page afterwards but not at any other time. Logging on, logging off, then logging on again as with a different email address, the oscid is the same each time. Thank you for any help that may be forthcoming. Link to comment Share on other sites More sharing options...
SometimesConfused Posted May 22, 2009 Author Share Posted May 22, 2009 Hi, The possibility of customers picking up the details/shopping cart information of another customer are quite frightening. Is there any way to prove/test the integrity of the oscid (probably on a test site?)? I’d also really appreciate any comments as to whether or not the situations described below are as expected. The following appears to the situation my live and test sites (all have Recreate Session = true)):- Live Site: ENABLE_SSL = false (config.php) FORCE COOKIE USE = true (in admin) The oscid is occasionally shown in the URL, normally on the 2nd click, disappears on subsequent clicks. Test Site: ENABLE_SSL = false FORCE COOKIE USE = false I’ve never noticed the oscid in the URL. Test Site: ENABLE_SSL = true (shared SSL) FORCE COOKIE USE = false The oscid is shown in the URL on SSL pages and the first NONSSL page afterwards but not at any other time. Logging on, logging off, then logging on again as with a different email address, the oscid is the same each time. Thank you for any help that may be forthcoming. Hi, One of the guys said that the osCsid will show up on the first link (after you get to the site), but disappear for subsequent links. I went through and changed all links that I'd added in the site from the typical html link to use the php version (the tep_href_link function). Maybe they'll have suggestions on how to test for it - that was a terrifying situation, but we found out that both customers were legit. I would suggest you get a site certificate and use SSL for your live site, though! :) On the plus side, I've worked on several osCommerce sites and have never seen this issue before (over the past 4 or 5 years). Link to comment Share on other sites More sharing options...
SometimesConfused Posted May 22, 2009 Author Share Posted May 22, 2009 If u read through the thread I detailed u will see each & every link must keep the seesion, regardless of purpose, otherwise u get your issue. The thread details all the conditions that can create problems. Hi, New thought... What about adding links into the product description fields? (Sam, I've been searching through your thread, but haven't seen reference to this.) In the product description fields, if you add a link (to another page on the site, for example) with html, it works, BUT, I've noticed that if you add the tep_href_link function in there (with the php tags), it doesn't work. I've got one shop using the html wysiwyg editor and it didn't work that way either (either way, I edit the source code). Won't this break the SID? Link to comment Share on other sites More sharing options...
♥FWR Media Posted May 22, 2009 Share Posted May 22, 2009 Hi, New thought... What about adding links into the product description fields? (Sam, I've been searching through your thread, but haven't seen reference to this.) In the product description fields, if you add a link (to another page on the site, for example) with html, it works, BUT, I've noticed that if you add the tep_href_link function in there (with the php tags), it doesn't work. I've got one shop using the html wysiwyg editor and it didn't work that way either (either way, I edit the source code). Won't this break the SID? For a "seperate" php file to maintain session it has to call includes/application_top.php at the top and includes/application_bottom.php at the bottom. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
kbking Posted May 22, 2009 Share Posted May 22, 2009 Hi, New thought... What about adding links into the product description fields? (Sam, I've been searching through your thread, but haven't seen reference to this.) In the product description fields, if you add a link (to another page on the site, for example) with html, it works, BUT, I've noticed that if you add the tep_href_link function in there (with the php tags), it doesn't work. I've got one shop using the html wysiwyg editor and it didn't work that way either (either way, I edit the source code). Won't this break the SID? If I understand your question there's actually a contribution made by Steve Lionel called Embed Link with SID in Description, which I think would do the trick just fine, you'll find it here. Link to comment Share on other sites More sharing options...
SometimesConfused Posted May 23, 2009 Author Share Posted May 23, 2009 If I understand your question there's actually a contribution made by Steve Lionel called Embed Link with SID in Description, which I think would do the trick just fine, you'll find it here. That's exactly what I meant - thank you! Link to comment Share on other sites More sharing options...
SometimesConfused Posted May 23, 2009 Author Share Posted May 23, 2009 Thank you Robert! I know this is a stupid question, but I've been awake for a very long time... What about links to pdf files that open in new windows? Is that an issue, too? Chris - I installed Steve Lionel's contribution (very cool, extremely easy to install). One of the sites I'm working on is osCMAX, so it has a lot of extra stuff in there. I installed his contribution for adding links in product descriptions and altered it a little to work in articles, too. The only thing I didn't see was a way to make it work for the Define Mainpage contribution. That one lets you edit the Home page, Conditions, Shipping, and Privacy pages in the backend, but as it turns out, the content is written to certain files rather than added as database entries. I searched through the topic and it sounded like they kind of mentioned similar situations, but it seems that my client won't be able to edit these pages through the backend if she wants links in them. Anyone come across that one? Jeez, I should change my username to OftenConfused. Link to comment Share on other sites More sharing options...
satish Posted May 23, 2009 Share Posted May 23, 2009 Two customers ordering from same happens if by chance they got hold of same oscid. generally if spider session kill not set to true then spider caches url with oscid. Now if customer come thru search engine they get this oscid in the url. Suggestion : 1)Kill spider session id(thru admin). 2)Recreate session as true. Satish Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site. Check My About US For who am I and what My company does. Link to comment Share on other sites More sharing options...
SometimesConfused Posted May 23, 2009 Author Share Posted May 23, 2009 Two customers ordering from same happens if by chance they got hold of same oscid.generally if spider session kill not set to true then spider caches url with oscid. Now if customer come thru search engine they get this oscid in the url. Suggestion : 1)Kill spider session id(thru admin). 2)Recreate session as true. Satish Thanks Satish! That totally explains how it was possible to have that happen! :) Link to comment Share on other sites More sharing options...
SuperAl1 Posted October 4, 2012 Share Posted October 4, 2012 I'm panicking here... One of my clients has an osCommerce shopping cart with some modifications (the most recent being the Header Tags SEO and Ultimate SEO URLs). Customer "A" placed an order yesterday. Today, another customer placed an order under Customer A's account. The "Customer" and "Shipping" addresses are the same as Customer A, but the "Bill to" details are that of Customer B. The credit card information was also different than Customer A. Customer B does not have an account. My client spoke with Customer A and he said he did not place the order. I looked at the Who's Online feature and see that it appears as if Customer A is still online, but when I looked up the IP, it seems to be GoogleBot. I know that this thread is old, but I have the same problem as SometimesConfused in my osCommerce. I made all the changes you suggested. Yesterday I set the "Force Cookie Use" to True, but my client has another error. He received 2 money deposit from clients but the orders arent save in the database. I think it was caused by the "Force Cookie Use", so I set now the variables like you said: * Session Directory (ignore should be MySQL) * Force Cookie Use false * Check SSL Session ID false * Check User Agent false * Check IP Address false * Prevent Spider Sessions true * Recreate Session true These errors occurred since a malware infected my hosting (via .htaccess), but I cleaned it and restaured a complete backup copy of the osCommerce, but the errors come back again. I dont know if SometimesConfused fix the error but I need solve this problem :unsure: . I have been working this osCommerce long time ago but never take an error like this. If those changes dont take effect, I am going to reubicate the osCommerce in another hosting and... at a last attempt, I am thinking in change the clients fields, incorporing in the customers table the address details (saving 1 step in the shopping process). Any suggest? Thanks for all Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.