toyOSC Posted August 12, 2010 Posted August 12, 2010 I've inherited a pretty customized osCommerce site and am learning the ins and outs. I like the system but I keep running into a problem where customers share links that contain visible Session IDs in the URL. I've tried forcing cookies but this totally stops the site from working. I've tried searching for oscSid functions throughout the site but haven't found a function I can modify. I've tried a few workarounds (visitors with last URL outside of the site gets new session ID, rewrite on the URL) but workarounds always seem to create their own set of new and exciting issues. I'd rather work from within the system. I noticed in my site that it has hardcoded html links with variable added for Session ID. <a href="thispage.php?osCsid=<?php echo $osCsid; ?>"> . There are also links created from functions... proper osCommerce links, I believe, such as $manufacturers_list .= '<a href="' . [b]tep_href_link[/b](FILENAME_DEFAULT, 'manufacturers_id=' . $manufacturers['manufacturers_id']) . '">' . $manufacturers_name . '</a>'; I couldn't find any documentation or forum posts on exactly all the things that tep_href_link covers but it looks like it handles the Session ID in the link. My question: is it wrong to use the hardcoded links we've set up with the variable? Or should I replace them all (thousands) with tep_href_link so I don't get osCsid variable passed along in URL? Or will it be there anyway. Hope this question makes sense. Thanks in advance for any advice, a point to the right direction or reference, or any help at all.
♥FWR Media Posted August 12, 2010 Posted August 12, 2010 I've inherited a pretty customized osCommerce site and am learning the ins and outs. I like the system but I keep running into a problem where customers share links that contain visible Session IDs in the URL. I've tried forcing cookies but this totally stops the site from working. I've tried searching for oscSid functions throughout the site but haven't found a function I can modify. I've tried a few workarounds (visitors with last URL outside of the site gets new session ID, rewrite on the URL) but workarounds always seem to create their own set of new and exciting issues. I'd rather work from within the system. I noticed in my site that it has hardcoded html links with variable added for Session ID. <a href="thispage.php?osCsid=<?php echo $osCsid; ?>"> . There are also links created from functions... proper osCommerce links, I believe, such as $manufacturers_list .= '<a href="' . [b]tep_href_link[/b](FILENAME_DEFAULT, 'manufacturers_id=' . $manufacturers['manufacturers_id']) . '">' . $manufacturers_name . '</a>'; I couldn't find any documentation or forum posts on exactly all the things that tep_href_link covers but it looks like it handles the Session ID in the link. My question: is it wrong to use the hardcoded links we've set up with the variable? Or should I replace them all (thousands) with tep_href_link so I don't get osCsid variable passed along in URL? Or will it be there anyway. Hope this question makes sense. Thanks in advance for any advice, a point to the right direction or reference, or any help at all. 1) includes/configure.php must be correct ( cookies are stored ) 2) admin configs .. Prevent Spider Sessions - true ( plus an updated spiders.txt - see contribs ) Recreate Session - true ( fundamental to recreate the session id at the very least on change of state. IDEAL: - Force Cookie Use - means no session id in the querystring - EVER - must have propper SSL certificate and the certificate must be assigned to the same domain as the main site .. e.g. main site is accessed as www.mysite.com - cert must be issued to www.mysite.com ( if the cert was issued to mysite.com ( no www ) it won't work. Don't listen to anyone who say "you will lose the customers who set their browsers not to accept cookies". 3) ALL urls MUST be produced using the link wrapper ( tep_href_link() ) if they do not then the whole scenario will fail. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
toyOSC Posted August 13, 2010 Author Posted August 13, 2010 1) includes/configure.php must be correct ( cookies are stored ) Is this correct with cookie path being blank? define('HTTP_COOKIE_DOMAIN', 'http://mysite.com'); define('HTTPS_COOKIE_DOMAIN', 'https://mysite.com'); define('HTTP_COOKIE_PATH', ''); define('HTTPS_COOKIE_PATH', ''); 2) admin configs ..Prevent Spider Sessions - true ( plus an updated spiders.txt - see contribs ) Mine is true (just added spider.txt contribution dated 2010-04-17) admin configs ..Recreate Session - true ( fundamental to recreate the session id at the very least on change of state. Mine is true admin configs ..IDEAL: - Force Cookie Use - means no session id in the querystring - EVER - must have propper SSL certificate and the certificate must be assigned to the same domain as the main site .. e.g. main site is accessed as www.mysite.com - cert must be issued to www.mysite.com ( if the cert was issued to mysite.com ( no www ) it won't work. Don't listen to anyone who say "you will lose the customers who set their browsers not to accept cookies". I'll try this on my development site. Thanks for the tips employing this. Our certificate is config'd properly. 3) ALL urls MUST be produced using the link wrapper ( tep_href_link() ) if they do not then the whole scenario will fail. You've confirmed my worst fears (but at least I know). Looks like a busy week coming up ;) I'll be testing but I think my only question is if the config is setup right for HTTP_COOKIE_PATH as it is currently blank. Thanks for your help.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.