Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Proper Linking and Avoiding osCsid Problems


toyOSC

Recommended Posts

Posted

I've inherited a pretty customized osCommerce site and am learning the ins and outs. I like the system but I keep running into a problem where customers share links that contain visible Session IDs in the URL. I've tried forcing cookies but this totally stops the site from working. I've tried searching for oscSid functions throughout the site but haven't found a function I can modify. I've tried a few workarounds (visitors with last URL outside of the site gets new session ID, rewrite on the URL) but workarounds always seem to create their own set of new and exciting issues. I'd rather work from within the system.

 

I noticed in my site that it has hardcoded html links with variable added for Session ID.

<a href="thispage.php?osCsid=<?php echo $osCsid; ?>">

.

 

There are also links created from functions... proper osCommerce links, I believe, such as

$manufacturers_list .= '<a href="' . [b]tep_href_link[/b](FILENAME_DEFAULT, 'manufacturers_id=' . $manufacturers['manufacturers_id']) . '">' . $manufacturers_name . '</a>';

 

I couldn't find any documentation or forum posts on exactly all the things that tep_href_link covers but it looks like it handles the Session ID in the link.

 

My question: is it wrong to use the hardcoded links we've set up with the variable? Or should I replace them all (thousands) with tep_href_link so I don't get osCsid variable passed along in URL? Or will it be there anyway.

 

Hope this question makes sense. Thanks in advance for any advice, a point to the right direction or reference, or any help at all.

Posted

I've inherited a pretty customized osCommerce site and am learning the ins and outs. I like the system but I keep running into a problem where customers share links that contain visible Session IDs in the URL. I've tried forcing cookies but this totally stops the site from working. I've tried searching for oscSid functions throughout the site but haven't found a function I can modify. I've tried a few workarounds (visitors with last URL outside of the site gets new session ID, rewrite on the URL) but workarounds always seem to create their own set of new and exciting issues. I'd rather work from within the system.

 

I noticed in my site that it has hardcoded html links with variable added for Session ID.

<a href="thispage.php?osCsid=<?php echo $osCsid; ?>">

.

 

There are also links created from functions... proper osCommerce links, I believe, such as

$manufacturers_list .= '<a href="' . [b]tep_href_link[/b](FILENAME_DEFAULT, 'manufacturers_id=' . $manufacturers['manufacturers_id']) . '">' . $manufacturers_name . '</a>';

 

I couldn't find any documentation or forum posts on exactly all the things that tep_href_link covers but it looks like it handles the Session ID in the link.

 

My question: is it wrong to use the hardcoded links we've set up with the variable? Or should I replace them all (thousands) with tep_href_link so I don't get osCsid variable passed along in URL? Or will it be there anyway.

 

Hope this question makes sense. Thanks in advance for any advice, a point to the right direction or reference, or any help at all.

 

1) includes/configure.php must be correct ( cookies are stored )

2) admin configs ..

Prevent Spider Sessions - true ( plus an updated spiders.txt - see contribs )

Recreate Session - true ( fundamental to recreate the session id at the very least on change of state.

IDEAL: - Force Cookie Use - means no session id in the querystring - EVER - must have propper SSL certificate and the certificate must be assigned to the same domain as the main site .. e.g. main site is accessed as www.mysite.com - cert must be issued to www.mysite.com ( if the cert was issued to mysite.com ( no www ) it won't work. Don't listen to anyone who say "you will lose the customers who set their browsers not to accept cookies".

 

3) ALL urls MUST be produced using the link wrapper ( tep_href_link() ) if they do not then the whole scenario will fail.

Posted
1) includes/configure.php must be correct ( cookies are stored )

 

Is this correct with cookie path being blank?

 

 define('HTTP_COOKIE_DOMAIN', 'http://mysite.com');
 define('HTTPS_COOKIE_DOMAIN', 'https://mysite.com');
 define('HTTP_COOKIE_PATH', '');
 define('HTTPS_COOKIE_PATH', '');

 

 

2) admin configs ..

Prevent Spider Sessions - true ( plus an updated spiders.txt - see contribs )

 

Mine is true (just added spider.txt contribution dated 2010-04-17)

 

 

admin configs ..

Recreate Session - true ( fundamental to recreate the session id at the very least on change of state.

Mine is true

 

 

admin configs ..

IDEAL: - Force Cookie Use - means no session id in the querystring - EVER - must have propper SSL certificate and the certificate must be assigned to the same domain as the main site .. e.g. main site is accessed as www.mysite.com - cert must be issued to www.mysite.com ( if the cert was issued to mysite.com ( no www ) it won't work. Don't listen to anyone who say "you will lose the customers who set their browsers not to accept cookies".

I'll try this on my development site.

Thanks for the tips employing this. Our certificate is config'd properly.

 

 

3) ALL urls MUST be produced using the link wrapper ( tep_href_link() ) if they do not then the whole scenario will fail.

 

You've confirmed my worst fears (but at least I know). Looks like a busy week coming up ;)

 

 

 

I'll be testing but I think my only question is if the config is setup right for HTTP_COOKIE_PATH as it is currently blank.

 

Thanks for your help.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...