jtsroberts Posted December 18, 2009 Posted December 18, 2009 Hi all, I've had a report that a user has posted a link on a public forum to a product listing on their site. The user was logged in at the time and the url they posted to was: sitename/index.php?cPath=31&osCsid=44f7f0adb0edcf4b4c0402b5c3965f06 Another forum user came along, clicked that link, and was then already logged in as the actual owner of the account who posted the link! Is there a patch for this? It's running osc v2.2 R2.2
♥FWR Media Posted December 18, 2009 Posted December 18, 2009 Hi all, I've had a report that a user has posted a link on a public forum to a product listing on their site. The user was logged in at the time and the url they posted to was: sitename/index.php?cPath=31&osCsid=44f7f0adb0edcf4b4c0402b5c3965f06 Another forum user came along, clicked that link, and was then already logged in as the actual owner of the account who posted the link! Is there a patch for this? It's running osc v2.2 R2.2 1) Make sure that the osCsid is not persistent on the site ( should disappear after 1st click) 2) Set Recreate Session to true ( Configuration > Sessions > Recreate Session ) Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
jtsroberts Posted December 21, 2009 Author Posted December 21, 2009 1) Make sure that the osCsid is not persistent on the site ( should disappear after 1st click) The osCsid parameter is always present in the category links, etc. How do you set it up to only require it the first time?? 2) Set Recreate Session to true ( Configuration > Sessions > Recreate Session ) I've made this change.
jtsroberts Posted December 21, 2009 Author Posted December 21, 2009 I was able to remove the osCsid by fixing the cookie domain. The original developer set it as http://www.domain.com instead of just domain.com All good now I believe.
spooks Posted December 21, 2009 Posted December 21, 2009 Selecting Regenerate session may not be sufficient to cure issues with external links with a sid attached. Matt has created I nice post here with a mod for regenerating the session and preventing shared sessions from shared links . Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.