Guest Posted May 26, 2010 Posted May 26, 2010 To the Community, Is this a nightmare unfolded or is there a better explanation? For the last month my colleagues have been reporting to me that there is a user that has a changing IP address and sometimes puts things in his cart and sometimes does not. I fear the worse for this situation. What I fear is that there is a session gone out of control. Meaning that different users are taking over this same session. As a result this session stays active for hours on end. For those willing to help me here is something important information. Please also note that admist this problem we are still receiving orders as usual. However, the fear is were missing out on a percentage of them. Domain: http://www.13thgreen.com/ Force Cookie Use: true I really appreciate any support I could receive. Thanks - Ryan
shadow007 Posted May 26, 2010 Posted May 26, 2010 To the Community, Is this a nightmare unfolded or is there a better explanation? For the last month my colleagues have been reporting to me that there is a user that has a changing IP address and sometimes puts things in his cart and sometimes does not. I fear the worse for this situation. What I fear is that there is a session gone out of control. Meaning that different users are taking over this same session. As a result this session stays active for hours on end. For those willing to help me here is something important information. Please also note that admist this problem we are still receiving orders as usual. However, the fear is were missing out on a percentage of them. Domain: http://www.13thgreen.com/ Force Cookie Use: true I really appreciate any support I could receive. Thanks - Ryan I suggest that you set the force cookie use to be false and set session stored in database not in files through your configure file. Tank Everyone is changing the world. Everyone is a world. For everyone needs my help, PM or email if I amn't online.
Guest Posted May 26, 2010 Posted May 26, 2010 I suggest that you set the force cookie use to be false and set session stored in database not in files through your configure file.>Tank Tank, Can you please tell me why you suggest this? I believe changing cookie use to false to be a last resort. Unfortunately my site is filled with instances where traditional <a> tags were used in place of the tep_href_link() function. As a result, without cookies the session swapping would almost certainty occur as I understand it. I've done a little digging and have found out some more information that may pertain to the problem at hand. In most cases it appears as they mystery user / users are bot related. Commonly the IP address gives this away. More often than not the ip address is spider08.yandrex.ru. However, this is not always the case just a majority. Just now I witnessed it switch to possibility another bot. Now its switched to real person who searched us on google. What all these changing IP's have in common is they are not assigned an osCid. I'm sure this is very relevant. Please help
Guest Posted May 26, 2010 Posted May 26, 2010 Tank, Can you please tell me why you suggest this? I believe changing cookie use to false to be a last resort. Unfortunately my site is filled with instances where traditional <a> tags were used in place of the tep_href_link() function. As a result, without cookies the session swapping would almost certainty occur as I understand it. I've done a little digging and have found out some more information that may pertain to the problem at hand. In most cases it appears as they mystery user / users are bot related. Commonly the IP address gives this away. More often than not the ip address is spider08.yandrex.ru. However, this is not always the case just a majority. Just now I witnessed it switch to possibility another bot. Now its switched to real person who searched us on google. What all these changing IP's have in common is they are not assigned an osCid. I'm sure this is very relevant. Please help I would strongly advise that you fix your links. They should be using the tep_href_link() function. You can also make these changes in Admin-->Configuration-->Sessions Check SSL Session ID: true Check User Agent: false Check IP Address: false Prevent Spider Session: true Recreate Session: true
Guest Posted May 26, 2010 Posted May 26, 2010 I would strongly advise that you fix your links. They should be using the tep_href_link() function. You can also make these changes in Admin-->Configuration-->Sessions Check SSL Session ID: true Check User Agent: false Check IP Address: false Prevent Spider Session: true Recreate Session: true Bktrain, Thanks for the response. Most links use the correct function but there are some that don't hidden throughout the website. It would be difficult to find and fix them all but not impossible. I thought of this as a last resort. Also I know by having force cookie use to true it I don't necessarily need to. However, I read that if I don't force cookie use then it would be a major problem if a customer clicked a non tep_href_link. I have been watching my traffic all morning and have observed many more disturbing things with this problem. 1. All users have a session except one. The exception to the rule is on for hours and constantly changes. A frequent page of this user is the cookie_usage page. 2. Sometimes the IP changes for this user and then subsequently creates a new user with the same IP and with a osCid. It appears that this changing IP user is actually a gateway for people to enter the site who at first dont have a session. They then create one and move forward. I suspect this has something to do with people who don't have cookies enabled. Or maybe my configuration file is not correct for cookie use. Meaning that the path of the cookies are wrong? Will post more evidence as I find it.
Guest Posted May 26, 2010 Posted May 26, 2010 Thanks for the response. Most links use the correct function but there are some that don't hidden throughout the website. It would be difficult to find and fix them all but not impossible. I thought of this as a last resort. Also I know by having force cookie use to true it I don't necessarily need to. However, I read that if I don't force cookie use then it would be a major problem if a customer clicked a non tep_href_link. I just disabled cookies in firefox and was not able to add any items to the cart. Looks like your HTTP and HTTPS cookie domains should be set as www.13thgreen.com The cookie paths should be / I think the links you need to fix are probably in includes/header.php and includes/footer.php. I would still fix them.
Guest Posted May 26, 2010 Posted May 26, 2010 I just disabled cookies in firefox and was not able to add any items to the cart. Looks like your HTTP and HTTPS cookie domains should be set as www.13thgreen.com The cookie paths should be / I think the links you need to fix are probably in includes/header.php and includes/footer.php. I would still fix them. Bktrain, Thanks again for the response and effort in helping me to solve my dilemma. At this point it looks like I am going to fix those links. I want to share with you some more peculiar evidence I found. Lets call the changing IPs user SessionX. Well as I pointed out SessionX is always changing and a frequent page he is on is cookie_usage.php. Well I learned how to be SessionX. I turned off cookies and visited the site and became SessionX. I was only SessionX until someone else with cookies off clicked on the site. Whenever I re-clicked I became SessionX again. Also I can confirm what you said about not being able to purchase anything with cookies off. It seems that cookies off is a rare thing. I tried ordering from k5.com, walmart.com, and zappos.com and was not able to order without cookies. This is just so frustrating. I'm thinking the cookie information probably shouldn't be blank? Something interesting to point out about cookies. My site gives 2 cookies to users. 1 = "13thgreen.com" and has weird information and the 2 = "www.13thgreen.com" which has the osCsid in it. define('HTTP_SERVER', 'http://www.13thgreen.com'); // eg, http://localhost - should not be empty for productive servers define('HTTPS_SERVER', 'https://www.13thgreen.com'); // eg, https://localhost - should not be empty for productive servers define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', ''); define('HTTPS_COOKIE_DOMAIN', ''); define('HTTP_COOKIE_PATH', ''); define('HTTPS_COOKIE_PATH', ''); define('DIR_WS_HTTP_CATALOG', '/'); define('DIR_WS_HTTPS_CATALOG', '/');
Guest Posted May 26, 2010 Posted May 26, 2010 I'm thinking the cookie information probably shouldn't be blank? Something interesting to point out about cookies. My site gives 2 cookies to users. 1 = "13thgreen.com" and has weird information and the 2 = "www.13thgreen.com" which has the osCsid in it. This is normal. The first cookie is a test cookie. The second one is the session cookie. define('HTTP_SERVER', 'http://www.13thgreen.com'); // eg, http://localhost - should not be empty for productive servers define('HTTPS_SERVER', 'https://www.13thgreen.com'); // eg, https://localhost - should not be empty for productive servers define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', ''); define('HTTPS_COOKIE_DOMAIN', ''); define('HTTP_COOKIE_PATH', ''); define('HTTPS_COOKIE_PATH', ''); define('DIR_WS_HTTP_CATALOG', '/'); define('DIR_WS_HTTPS_CATALOG', '/'); Should be define('HTTP_SERVER', 'http://www.13thgreen.com'); // eg, [url="http://localhost"]http://localhost[/url] - should not be empty for productive servers define('HTTPS_SERVER', 'https://www.13thgreen.com'); // eg, [url="https://localhost"]https://localhost[/url] - should not be empty for productive servers define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'www.13thgreen.com'); define('HTTPS_COOKIE_DOMAIN', 'www.13thgreen.com'); define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/'); define('DIR_WS_HTTP_CATALOG', '/'); define('DIR_WS_HTTPS_CATALOG', '/');
Guest Posted May 27, 2010 Posted May 27, 2010 This is normal. The first cookie is a test cookie. The second one is the session cookie. Should be define('HTTP_SERVER', 'http://www.13thgreen.com'); // eg, [url="http://localhost"]http://localhost[/url] - should not be empty for productive servers define('HTTPS_SERVER', 'https://www.13thgreen.com'); // eg, [url="https://localhost"]https://localhost[/url] - should not be empty for productive servers define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'www.13thgreen.com'); define('HTTPS_COOKIE_DOMAIN', 'www.13thgreen.com'); define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/'); define('DIR_WS_HTTP_CATALOG', '/'); define('DIR_WS_HTTPS_CATALOG', '/'); Bktrain, Yes you are correct that is a normal process. However, my explanation was abnormal and not fitting. What I meant to say was that I was receiving two individual cookie groups from differnt domains. The first domain was "13thgreen.com" which gave me various "_utm%" cookies and the second domain "www.13thgreen.com" which game me a "cookie_test" and a "osCsid" cookie. I checked out some other shops and saw that all the other shops have a cookie from "yoursite.com" rather then "www.yoursite.com". With this as evidence I decided to go ahead and try your configure.php changes. I did so and noticed I still had two separate domain cookies. However, when I removed the www from the configure.php and left it as "13thgreen.com" I noticed that I eliminated the second domain cookie group and that all the cookies joined together under "13thgreen.com" similar to how I saw on other osc sites. Damn this is never ending.
Guest Posted May 27, 2010 Posted May 27, 2010 I checked out some other shops and saw that all the other shops have a cookie from "yoursite.com" rather then "www.yoursite.com". With this as evidence I decided to go ahead and try your configure.php changes. I did so and noticed I still had two separate domain cookies. However, when I removed the www from the configure.php and left it as "13thgreen.com" I noticed that I eliminated the second domain cookie group and that all the cookies joined together under "13thgreen.com" similar to how I saw on other osc sites. Damn this is never ending. Your cookie settings in configure.php must match how your ssl cert was issued to you. If it was issued with the www, (which yours is), then you must have that. Try setting them back with the www. Then before you go to your site clear your cokkies.
Guest Posted May 27, 2010 Posted May 27, 2010 Your cookie settings in configure.php must match how your ssl cert was issued to you. If it was issued with the www, (which yours is), then you must have that. Try setting them back with the www. Then before you go to your site clear your cokkies. Bktrain, What your saying makes sense. Here what happens including the www. When the configure does not include the www it all merges under "13thgreen.com". How can I make it all merge under "www.13thgreen.com"?
Guest Posted May 28, 2010 Posted May 28, 2010 Readers, I'm getting pretty desperate at this point and my frustration level is sky high. At this point I'm trying everything. I've scoured through pages and pages of search results for various keywords. It looks like my problem is one of a kind. Here is a recap at what is going on for newer readers. Spiders are creating sessions by accepting cookies. To fix this I installed this modification http://www.oscommerc...y/contributions,4507/page,45. I have not confirmed if it works or not. I have a set of cookies which I can't explain. They all begin as __utm% (% = wild-card letter). Other people have them on oscommerce I have noticed but no one mentions their source. An unusual number of people visit our website and do not initially get a cookie. Of course I always do and every computer I test with does also I decided to store sessions in the database. I have no reason for doing so other than feeling desperate and hoping for some luck. Well I'm at a low and will post more later.
BryceJr Posted May 28, 2010 Posted May 28, 2010 Spiders are creating sessions by accepting cookies... First time I've heard of this. I have a set of cookies which I can't explain. They all begin as __utm% (% = wild-card letter). Other people have them on oscommerce I have noticed but no one mentions their source. Source is Google Analytics. More information >>here.An unusual number of people visit our website and do not initially get a cookie. Of course I always do and every computer I test with does alsoThe default install of most browsers is to accept cookies. If people decide to change their default browser settings, such as not accepting all cookies or not accept cookies from a particular domain, then they don't get cookies.I decided to store sessions in the database. I have no reason for doing so other than feeling desperate and hoping for some luck. You probably did not know that you've ben storing sessions in your database. Remember this line >> define('STORE_SESSIONS', 'mysql'); in your configure.php file?
Recommended Posts
Archived
This topic is now archived and is closed to further replies.