Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

A session cookie setup question on admin side


bertie.shen

Recommended Posts

Hi friends,

 

I ran into a puzzling problem recently. On my local laptop, customer side works fine, osCsid does not show up on URL, and osCsid is stored correctly on the browser. However, admin side does not work. Every time I visit any page under admin/ directory, it will be redirected to login.php and a osCadminID shows up as a part of URL. But after I input the correct username/password at login.php, it will be redirected to login.php again and a new osCAdminID is generated and shown up on URL such as http://localhost/oscommerce/admin/login.php?osCAdminID=9fukuti7oa9puuo3807plgju81. I checked the browser and did not find osCAdminID is stored in the cookie.

 

Do you guys have some ideas about it? I suspect that it is because of some session cookie setup issue, which causes osCAdminID not be stored appropriately on the browser and regenerated every time I visit any admin/ page. What is puzzling to me is that my customer side session cookie works fine.

 

BTW, I ran WAMP on Windows 7 Home Premium.

 

Any help or suggestion is greatly appreciated.

Link to comment
Share on other sites

I had the same problem just today, but in both the front and back end.

 

To solve it, I set the OSCommerce sessions to use the database, and in my php.ini file in WAMP I set session.use_only_cookies to be 0.

 

It did take me several hours of head scratching to get to that point, and obviously I don't have cookies working on my local version of the site. This should solve the problem for you though, enough to allow you to do whatever it is you need to do.

Link to comment
Share on other sites

BenFreke, thanks for the reply. my session.use_only_cookies was 1. After I change it to 0, osCAdminID still show up at every URL, and front end still works fine.

 

BTW, I attached my php.ini setting related with session management below. Hope someone has some insight about it. Thanks.

 

[session]

; Handler used to store/retrieve data.

; http://php.net/session.save-handler

session.save_handler = files

 

; Argument passed to save_handler. In the case of files, this is the path

; where data files are stored. Note: Windows users have to change this

; variable in order to use PHP's session functions.

;

; The path can be defined as:

;

; session.save_path = "N;/path"

;

; where N is an integer. Instead of storing all the session files in

; /path, what this will do is use subdirectories N-levels deep, and

; store the session data in those directories. This is useful if you

; or your OS have problems with lots of files in one directory, and is

; a more efficient layout for servers that handle lots of sessions.

;

; NOTE 1: PHP will not create this directory structure automatically.

; You can use the script in the ext/session dir for that purpose.

; NOTE 2: See the section on garbage collection below if you choose to

; use subdirectories for session storage

;

; The file storage module creates files using mode 600 by default.

; You can change that by using

;

; session.save_path = "N;MODE;/path"

;

; where MODE is the octal representation of the mode. Note that this

; does not overwrite the process's umask.

; http://php.net/session.save-path

;session.save_path = "c:/wamp/tmp"

 

; Whether to use cookies.

; http://php.net/session.use-cookies

session.use_cookies = 1

 

; http://php.net/session.cookie-secure

;session.cookie_secure =

 

; This option forces PHP to fetch and use a cookie for storing and maintaining

; the session id. We encourage this operation as it's very helpful in combatting

; session hijacking when not specifying and managing your own session id. It is

; not the end all be all of session hijacking defense, but it's a good start.

; http://php.net/session.use-only-cookies

session.use_only_cookies = 0

 

; Name of the session (used as cookie name).

; http://php.net/session.name

session.name = PHPSESSID

 

; Initialize session on request startup.

; http://php.net/session.auto-start

session.auto_start = 0

 

; Lifetime in seconds of cookie or, if 0, until browser is restarted.

; http://php.net/session.cookie-lifetime

session.cookie_lifetime = 0

 

; The path for which the cookie is valid.

; http://php.net/session.cookie-path

session.cookie_path = /

 

; The domain for which the cookie is valid.

; http://php.net/session.cookie-domain

session.cookie_domain = localhost

 

; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.

; http://php.net/session.cookie-httponly

session.cookie_httponly =

 

; Handler used to serialize data. php is the standard serializer of PHP.

; http://php.net/session.serialize-handler

session.serialize_handler = php

 

; Defines the probability that the 'garbage collection' process is started

; on every session initialization. The probability is calculated by using

; gc_probability/gc_divisor. Where session.gc_probability is the numerator

; and gc_divisor is the denominator in the equation. Setting this value to 1

; when the session.gc_divisor value is 100 will give you approximately a 1% chance

; the gc will run on any give request.

; Default Value: 1

; Development Value: 1

; Production Value: 1

; http://php.net/session.gc-probability

session.gc_probability = 1

 

; Defines the probability that the 'garbage collection' process is started on every

; session initialization. The probability is calculated by using the following equation:

; gc_probability/gc_divisor. Where session.gc_probability is the numerator and

; session.gc_divisor is the denominator in the equation. Setting this value to 1

; when the session.gc_divisor value is 100 will give you approximately a 1% chance

; the gc will run on any give request. Increasing this value to 1000 will give you

; a 0.1% chance the gc will run on any give request. For high volume production servers,

; this is a more efficient approach.

; Default Value: 100

; Development Value: 1000

; Production Value: 1000

; http://php.net/session.gc-divisor

session.gc_divisor = 1000

 

; After this number of seconds, stored data will be seen as 'garbage' and

; cleaned up by the garbage collection process.

; http://php.net/session.gc-maxlifetime

session.gc_maxlifetime = 1440

 

; NOTE: If you are using the subdirectory option for storing session files

; (see session.save_path above), then garbage collection does *not*

; happen automatically. You will need to do your own garbage

; collection through a shell script, cron entry, or some other method.

; For example, the following script would is the equivalent of

; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):

; cd /path/to/sessions; find -cmin +24 | xargs rm

 

; PHP 4.2 and less have an undocumented feature/bug that allows you to

; to initialize a session variable in the global scope, even when register_globals

; is disabled. PHP 4.3 and later will warn you, if this feature is used.

; You can disable the feature and the warning separately. At this time,

; the warning is only displayed, if bug_compat_42 is enabled. This feature

; introduces some serious security problems if not handled correctly. It's

; recommended that you do not use this feature on production servers. But you

; should enable this on development servers and enable the warning as well. If you

; do not enable the feature on development servers, you won't be warned when it's

; used and debugging errors caused by this can be difficult to track down.

; Default Value: On

; Development Value: On

; Production Value: Off

; http://php.net/session.bug-compat-42

session.bug_compat_42 = On

 

; This setting controls whether or not you are warned by PHP when initializing a

; session value into the global space. session.bug_compat_42 must be enabled before

; these warnings can be issued by PHP. See the directive above for more information.

; Default Value: On

; Development Value: On

; Production Value: Off

; http://php.net/session.bug-compat-warn

session.bug_compat_warn = On

 

; Check HTTP Referer to invalidate externally stored URLs containing ids.

; HTTP_REFERER has to contain this substring for the session to be

; considered as valid.

; http://php.net/session.referer-check

session.referer_check =

 

; How many bytes to read from the file.

; http://php.net/session.entropy-length

session.entropy_length = 0

 

; Specified here to create the session id.

; http://php.net/session.entropy-file

;session.entropy_file = /dev/urandom

session.entropy_file =

 

; http://php.net/session.entropy-length

;session.entropy_length = 16

 

; Set to {nocache,private,public,} to determine HTTP caching aspects

; or leave this empty to avoid sending anti-caching headers.

; http://php.net/session.cache-limiter

session.cache_limiter = nocache

 

; Document expires after n minutes.

; http://php.net/session.cache-expire

session.cache_expire = 180

 

; trans sid support is disabled by default.

; Use of trans sid may risk your users security.

; Use this option with caution.

; - User may send URL contains active session ID

; to other person via. email/irc/etc.

; - URL that contains active session ID may be stored

; in publically accessible computer.

; - User may access your site with the same session ID

; always using URL stored in browser's history or bookmarks.

; http://php.net/session.use-trans-sid

session.use_trans_sid = 0

 

; Select a hash function for use in generating session ids.

; Possible Values

; 0 (MD5 128 bits)

; 1 (SHA-1 160 bits)

; http://php.net/session.hash-function

session.hash_function = 0

 

; Define how many bits are stored in each character when converting

; the binary hash data to something readable.

; Possible values:

; 4 (4 bits: 0-9, a-f)

; 5 (5 bits: 0-9, a-v)

; 6 (6 bits: 0-9, a-z, A-Z, "-", ",")

; Default Value: 4

; Development Value: 5

; Production Value: 5

; http://php.net/session.hash-bits-per-character

session.hash_bits_per_character = 5

 

; The URL rewriter will look for URLs in a defined set of HTML tags.

; form/fieldset are special; if you include them here, the rewriter will

; add a hidden <input> field with the info which is otherwise appended

; to URLs. If you want XHTML conformity, remove the form entry.

; Note that all valid entries require a "=", even if no value follows.

; Default Value: "a=href,area=href,frame=src,form=,fieldset="

; Development Value: "a=href,area=href,frame=src,input=src,form=fakeentry"

; Production Value: "a=href,area=href,frame=src,input=src,form=fakeentry"

; http://php.net/url-rewriter.tags

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

 

 

 

 

I had the same problem just today, but in both the front and back end.

 

To solve it, I set the OSCommerce sessions to use the database, and in my php.ini file in WAMP I set session.use_only_cookies to be 0.

 

It did take me several hours of head scratching to get to that point, and obviously I don't have cookies working on my local version of the site. This should solve the problem for you though, enough to allow you to do whatever it is you need to do.

Link to comment
Share on other sites

Oh, one other thing that is best to check before playing around with php.ini (sorry, it was late and I wanted to go home!)

 

In your configure.php file, make sure that both front and backend are set to store the session in the database, with the setting 'mysql'. Other then that, I'm out of ideas sorry, it might be permissions problems on the tmp folder?

Link to comment
Share on other sites

I added in admin/includes/configure.php, as I did in includes/configure.php a few weeks ago,

 

define('HTTP_COOKIE_DOMAIN', '');

define('HTTP_COOKIE_PATH', '');

 

Now, it works, although I do not know why they solved the problem!

 

Thanks, BenFreke!

Link to comment
Share on other sites

  • 8 months later...

Thank you guys, I had the same problem and I repeated the same process as you have discussed and it worked fine.

 

But when I shall move the site to server, the issue may crop up again? so better to use a "php.ini" file on the root of your website folder and add this setting there, instead of making a change into the system wide "php.ini" file.

 

I think this should be the long lasting solution.

 

 

Rocky Singh

cWebConsultants.com

Link to comment
Share on other sites

  • 1 year later...

Some very strange things are going on with my configuration. Now that I changed it to try to get it to work for Ie, it works once only in google, then I can't log in as a client. I switch back to (cookies domain '') (empty basically) and log in again. Next time I have to change the config back to www.edilaudere.com or I can't log in.

Also, after updating my cart..........old things appear in it at checkout. (i do have a script that maintains the cart items in the cart even for unlogged in clients for 10 days)..though the cart was emptied.

I seems as though cookies are being stored in 2 areas. I can delete my cart from one, but if I change my config to log in again............other products appear........

what is going on.

I don't have this problem on localhost. It is very frustrating. Also, because before testing for ie.........this did not happen. HELP. My store is only parked for now, but need to stop losing hair over this.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...