Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Problem with Sid Killer v1.2


greree

Recommended Posts

Actually, the problem is with my web host, but I know they're not going to change for me. The URL to my site is http://www.mysite.com, but my secure server is https://server.securesite.com/mysite/. So when someone goes to my site at http://www.mysite.com, and then either logs in or creates an account, they're taken to another URL, the secure URL. After they login, they're still on the secure site. Then, if they click on anything that isn't secure, which is just about everything, including product descriptions, they're logged out. If they put something in their cart and try to buy it, they're taken to the login page. If they go to the default page, they see "Welcome, Guest" with an invitation to log in again.

 

I know it's Sid Killer that's doing it, because I did a clean install, then added only Sid Killer. Anyone got any ideas? I'd like to use Sid Killer, but I also need a secure connection.

Link to comment
Share on other sites

Yeah, we discovered this about a week ago also.

 

I tried to make all of the pages got through SSL after the customer logs in, but somehow, it still logs the customer out.

 

Anyway, I've gone back to the output_html spider detector, which has always worked well for me, it's just higher maintenence in keeping the user agen names up to date.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

I also am having the same sort of problems. It seems that Harald may be getting close to coming up with a solution (all together now, YAY Harald!!!) - take a look at this thread:

 

http://www.oscommerce.com/forums/viewtopic.php...=31928&start=30

... if you want to REALLY see something that doesn't set up right out of the box without some tweaking,

try being a Foster Parent!

Link to comment
Share on other sites

Howdy Folks

 

I have Ian's spider killer, but it does not seem to stop the googlebot attacks. They still are coming nearly full-force. I have installed his latest version. Do I have to wait a long time before its effectiveness begins?

 

Also, what is the output_html spider detector? Can they be used together?

 

Best Regards, Ted

Link to comment
Share on other sites

OK, since everyone seems to be having trouble with the SID killer again, and since this matter is of the utmost importance, I will once again post hte 'Spider Detector' that I use to keep bots from indexing urls with SIDs in them.

 

A couple of quick disclaimers

 

- This is by FAR not the best solution. It should mearly be used as a stopgap until a REAL SOLUTION has been worked out. It is horribly inefficient, and can be very high maintenence.

 

- Putting this in will not stop Google from spidering URLs it has previously gathered with SIDs in them. After you put this in, you will see a steady decrease in the number of URLS with SIDs in them that google spiders over then next couple of weeks.

 

 

- Older or newer snapshots than I have may vary slightly, however, the functionsality remains the same.

 

- While this solutions remains in my code, I am very much reluctant to add it as a contribution becasue of how inefficient it is.

 

 

Here you go.

 

Open: catalog/includes/functions/html_output.php

 

Find:

$sid = SID;

 

Replace it with:

 

/////////////// Bot detecting hack. This below code will not add a SID if the user is a Bot.

//// Add the session ID when moving from HTTP and HTTPS servers or when SID is defined

   if ( (ENABLE_SSL == true ) && ($connection == 'SSL') && ($add_session_id == true) ) {

     $sid = tep_session_name() . '=' . tep_session_id();

   } elseif ( ($add_session_id == true) && (tep_not_null(SID)) ) {

     $spider_footprint = array( "Googlebot", "googlebot", "InternetSeer", "WebCrawler", "FST", "FST2.1", "Scooter", "FST2.0", "ia_archiver", "Robozilla", "Slurp");



     $agent = getenv('HTTP_USER_AGENT');

     $is_spider = 0;



     // Is it a spider?



     $i = 0;

     while ($i < (count($spider_footprint)))

     {

     if (eregi($spider_footprint[$i],$agent))

     {

     $is_spider = 1;

     break;

     }

     $i++;

     }



     // make the $sid null if it is a bot

     // Change the files below to your search-engine 'keyword' page and normal index page.



     if ($is_spider)

     {

       $sid = NULL;

     }

     else

     {

       $sid = SID;

     }

   }

   if (isset($sid)) {

     $link .= $separator . $sid;

   }

/////////// Bot detecting hack. This above code will not add a SID if the user is a Bot.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

I'll try anything to stop the dreaded Googlebot. I have tried everything so far to no avail. I have had the Googlebot eat up 2 and 3 Gigabits of bandwidth a day for days on end! It's totally nutty.

 

You say it's ineffiecient. That may be so, but having thousands of unnecessary Googlebots sucking up bandwidth is ineffient too.

 

I sure hope this works and I hope we all come up with the final solution sooner rather than later.

 

Best Regards, Ted

Link to comment
Share on other sites

Please keep in mind that you won't see immediate results. If Google is currently spidering your site, you will first begin to see 1 url without a SID, then 2 or 3. Over the course of the next few days, the URLs with SIDs will slowly start to go away.

 

What happens is that Google actually has 2 programs. The first on is a URL gatherer. It sends this bot out to a list of unique URLs on your site that it needs to send the second bot out to spider later. Then is sends out the actual spider that parses through all of the urls provided. Once it has finished parsing the site, it again runs the URL gatherer to make sure it didn't miss any URLs.

 

The problem occurs because with the SID attached, to Google's gathering program, it looks as though every SID is a new URL, even though it's really just the same page. So with every iteration of the loops through the list of URLs, the list or URLs acutally grow and grow and grow, until it hits its limit of about 60,000 urls.

 

When you add this particular bot detector, it will prevent Google from adding new URLs to the list with SIDs. It will not, however, get rid of the older URLs in the list with SIDs. These will disappear from googles index in anywhere from 2 weeks to 3 months. The problem with the links that Google indexes with SIDs, is that if they were on a product, if you click on that link, thje product comes up as "product not found". There is now a contribution that solves this issue as well.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Hi all,

 

I've been hampered in the past in testing the SID_Killer in that I didn't have access to a test system with SSL installed.

 

I've now setup such as system on my test server. Hopefully that means I'll be able see what the problem (and hopefully the solution) is with SSL domains.

Trust me, I'm an Accountant.

Link to comment
Share on other sites

Ian,

 

Specifically, it looks like the problem is when the SSL is on a different domain than the resto of the site.

 

Hope this helps, and let me know if you need a tester. I hve a test site set up that should work.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

I've got the exact same problem!  :cry:  Does anybody have a solution?

 

Yup! Get an SSL for your own domain...

 

I've got one for https://www.domain.com and it works fine...

 

Not only does this make things 1000% easier because you don't need to upload files to two locations (NONSSL site and SSL site) and it looks much more professional to the client.

 

My $0.02 worth...

 

Tony

"The price of success is perseverance. The price of failure comes much cheaper."

Link to comment
Share on other sites

TB,

 

Great thought, however, I like my FREE shared cert. And you don't have to upload files to different locations, you only use the shared SSL as a path that the customer goes through.

 

The only difference between a shared SSL and you own SSL is the domain.

 

My shared SSL looks like this

 

https://www.ssllocked.wizardsandwars.com/lo...cid=14513451345

 

Where an SSL on my own domain looks like this

 

https://www.wizardsandwars.com/login.php?os...cid=14513451345

 

The ony way the customer can tell the difference is by the url, and usually you can only see the latter part of that anyway.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

What are we running here... businesses or games?

 

Maybe I'm more focused on the business side rather than the hobby.

 

For the cost of an SSL, the problems are all solved... you can get and InstantSSL for $49 USD which is a drop in the ocean for what it gives you. Plus, it's your own SSL... not all people know that a shared SSL encypts data just the same... and some people don't like to idea of changing sites when transacting online. Those of us that are 'net savy' realise what's going on, though I'm taking into account the lowest common denominator since my clients range in age from 16 - 70+.

 

I have EVERYTHING from 'wo to go' running on my site... they don't need to leave for anything, including the payment gateway, which runs on an XML feed in the background.

 

What am I up to now... $0.04 worth? :lol:

 

Cheers,

Tony

"The price of success is perseverance. The price of failure comes much cheaper."

Link to comment
Share on other sites

Tony,

 

lol, good stuff!

 

Not sure what you mena by having to leave the site, though. Shared SSLs don't require that cutomers leave the site at all.

 

Also, I'd calculate that probably 90% of merchants in these forums are operating as a start up. Which, to them, $50 could be an unnecesary expense, especially considering that there is generally a free alternative.

 

I agree that it is better to have you own certificate. And honestly, I think its probably worthwhile to purchase one from a more reputable company, such as Thawe, or Verisign, for upwards of $200. But for a startup, I don't just don't think it should be absolutly necessary to have one.

 

Shared SSLs are just fine. And more to the point, any SID killer should be designed to take a shared SSL into consideration.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

I'm afraid I can only spare $0.01 worth, but I'll kick in here, too.

 

I have to agree with Chris. All discussion of expense aside, I think the prevalence of shared certificates (whether they are the "best" way to go or not) should dictate that a final solution to the SID issue take these into account.

... if you want to REALLY see something that doesn't set up right out of the box without some tweaking,

try being a Foster Parent!

Link to comment
Share on other sites

I'm up to $0.06 now... You're going to make me broke! :lol:

 

Not sure what you mena by having to leave the site, though. Shared SSLs don't require that cutomers leave the site at all.

 

True, they don't have to 'leave' your site (with most shared certificates, though some host there secure domains seperatly), though the URL changes to something other than www.domain.com. The files under your domain change all the time, which is something the majority of people understand, but when the domain portion changes, they may get 'iffy'.

 

My products are high value, so one client 'baulking' from my site, could cost me more than a certificate.

 

Also, I'd calculate that probably 90% of merchants in these forums are operating as a start up. Which, to them, $50 could be an unnecesary expense, especially considering that there is generally a free alternative.

 

I totally agree with this, and understand the cost factors... but everything in business has a cost to go with it, and I just don't think that this is one area that should be given a low priority... same as using PayPal only. All that gives me is the impression that I'm dealing with an individual who's trying to make a quick buck on the side. I had no problem supporting people and I would buy something from you, just like I would hope you'd buy something from me, but not everyone is like that and they're the people I need to take into account.

 

I agree that it is better to have you own certificate. And honestly, I think its probably worthwhile to purchase one from a more reputable company, such as Thawe, or Verisign, for upwards of $200. But for a startup, I don't just don't think it should be absolutly necessary to have one.

 

Thawte and Verisign, are great if you need to support IE4 and other browsers around that era. Verisign in particular has up to $250,000 'guarantee' with their certificates, as their prices reflect. I don't have a $49 USD InstantSSL, but it's a starting point since most browsers from IE5 + have the root certificate for this installed, so it's a seemless transition from HTTP to HTTPS.

 

Shared SSLs are just fine. And more to the point, any SID killer should be designed to take a shared SSL into consideration.

The reality is that not everyone is going to get their own SSL. So I agree with you that any SID killer SHOULD be designed for both varients.

 

Anyway... I'd best finish this post here before I break into the $0.08 realm! :D

 

Cheers,

Tony

"The price of success is perseverance. The price of failure comes much cheaper."

Link to comment
Share on other sites

I gotta tell you Tony, I think you're opinions are great.

 

You should raise your rates.

 

Man $.02 per 2 minutes it took to write that post is ony $0.60 per hour. Let me know if you need full time employment! :lol:

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

I'd better lay low now... next thing we know I'll be writing on IOU's!

 

I'll have to get in contact with HPDL to see if I can get a refund of $0.02 on some of my older posts... :lol:

 

Umm... what a GREAT idea! Maybe you could do the same... and with posts, maybe then you could afford to hear the 'ratter tat tat' of my keyboard skills for 10 solid hours!

 

Hmm... * thinking to self: must stop now before I get myself into a delerious state thinking that this is really possible. * :roll:

 

* Wacking self across head *

"Snap outta it man! Get a grip!" :lol:

 

PHEW! I'm back now...

 

Cheers for your comments so far Chris... been a good thread so far...

 

Tony

 

Ohh no! This post has blown outta proportion... luckily for me I have a modified version of the Image Proportion contribution installed on my wallet to keep the finances in order, so I'm deciding that this post is only going to set me back $0.01... I'm now up to $0.07!

"The price of success is perseverance. The price of failure comes much cheaper."

Link to comment
Share on other sites

Hi Friends,

 

I'm also struggling with the SharedSSL problems. I had to take the mod off again, although it would be great to have.

 

I'm looking forward to see Ian's fix at some point. Thanks in advance to Ian!

 

German

Link to comment
Share on other sites

I am having trouble with this too. I am going to have to delete it for the time being. Does anyone know if I can leave the "change buy it now links to forms" module while the kinks are being worked out of the sidkiller?

 

Thanks!

 

Mark

Link to comment
Share on other sites

Howdy Folks

 

Here's a really odd error_log message:

 

Fri Feb 28 22:28:34 2003] [error] PHP Warning:  Empty delimiter in /var/www/vhosts/mysite.com/htdocs/includes/functions/html_output.p

hp on line 113

 

What's really strange is the it is repeated hundreds of times in a row in the error_log, but the time is exactly the same on all of them 22:28:34 2003!

 

Line 113 and surrounding in html_output.php looks like:

 

 

foreach($spiders as $Val) {

   if (!(strpos($Val, $useragent) === false)) {

     // found a spider, kill the sid/sess

     // Edit out one of these as necessary depending upon your version of html_output.php

     //$sess = NULL;

      $sid = NULL;

     break;

   }

 

Any help i s greatly appreciated.

 

Best Regards, Ted

Link to comment
Share on other sites

  • 2 weeks later...
I agree that it is better to have you own certificate. And honestly, I think its probably worthwhile to purchase one from a more reputable company, such as Thawe, or Verisign, for upwards of $200. But for a startup, I don't just don't think it should be absolutly necessary to have one.

 

Thawte and Verisign, are great if you need to support IE4 and other browsers around that era. Verisign in particular has up to $250,000 'guarantee' with their certificates, as their prices reflect. I don't have a $49 USD InstantSSL, but it's a starting point since most browsers from IE5 + have the root certificate for this installed, so it's a seemless transition from HTTP to HTTPS.

Tony

 

The site seal you get the Thawte and Verisign are also worth it. More people will actually order with those. Just survey your friends -- some will even recognize Verisign's guarantee. Seems like they wouldn't, but they do. People are suspicious and look for those little cues before commiting to a purchase to a company they may not have heard of it. They're scared and want assurance. (I also recommend joing SquareTrade and ePublicEye for these very reasons)

 

On the cheap, I recommend the $9 ChainedSSL from freessl.com. I almost literally have a way place in my high for this high value, low cost cert. :D

 

It's the same as what InstantSSL gives you. IE 5.0+ compatability, decent Netscape and Opera. Tons of people use the Win98/IE5.0 combo, making ChainedSSL and InstantSSL outrageously better than some other newcomers, like Geo-trust, which blow warnings on those folks. 14-18% of my buyer's wouldn't be buyers if I used Geo-trust. (the bizarre thing is that Geo-Trust owns freessl.com, now -- it's weird getting a superior cert for $9 from a company selling an inferior one for over $100!)

 

It's great to start with ChainedSSL (I do with all of my sites), then move to Thawte or Verisign for their nice, sales increasing secure site 'click here to verify' seal.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...