♥FWR Media Posted January 31, 2011 Share Posted January 31, 2011 Many of you would have seen this post: - What is the osCsid & why you must not loose it. The title of this topic is very similar on purpose, partly humorous but also because the subject matter is related. The reason I am starting this topic is that I recently saw an experienced and respected forum member give the following advice to a "low experience" user: - Force cookies should not be used so you are correct in having it off. I see this as dangerous or at least bad advice. There is no place in this day and age for the session to be carried via the querystring, it is a significant security hazard allowing such hack vectors as session riding etc. Some dangers are: - Hackers hijacking sessions. Customers logging in as each other and seeing each others private details. Customers copying links which have the session attached then posting the link on the web. ( leading to all sorts of problems including the above ). By forcing cookie usage you are ensuring that your shop is far more secure for your customers. Forcing cookie usage should be the standard with querystring based sessions only used by those who CAN'T force cookie usage. There are no drawbacks to setting up a shop in this way only positives. What about customers who have cookies off? Quite simply you cannot shop these days with cookies off. Virtually none of the big shops work if you have this setting, try adding to cart in Amazon.com and you'll get "Please Enable Cookies in your Web Browser to Continue.". Why? because it is insecure to have the session carried via the querystring. If one of your customers attempts to purchase with cookies set to off in their browser then they will no doubt be used to not being able to buy anything on the web. Who can't force cookie usage? Those who are on cheap hosting with cheap ( not full ) shared SSL certificates cannot force cookie usage. In these cases the session has to be carried in the querystring but this should be changed to force cookies just as soon as the shop can afford it. A small note on setting this up correctly: - If you have to have the session id in the querystring it is imperative that it is set up correctly. In admin>Configuration>Sessions Force Cookie Use must be false and Recreate Session must be true. Persistent osCsid: Installations with incorrectly set up configuration files may have a persistent osCsid ( the osCsid is ALWAYS attached to the querystring ) this is very dangerous and can be solved simply by setting up the configure files correctly. Don't use the "hide the osCsid" contributions as they do more harm than good. How do I tell if it is set up correctly? Close all browsers then open a new one visiting the front of your shop. If you hover over the links you will see the osCsid attached to all URLs. Now refresh the page and hover the links, the osCsid should be gone, if it isn't then your settings are incorrect and you have the very dangerous situation of persistent session id in the querystring. What are the required settings to force cookie usage? A full ( not shared ) SSL certificate that has been issued using the same domain as the site is accessed. Example: - If the shop is accessed as www.mysite.com then the certificate has to issued to www.mysite.com If the shop is accessed without the www ( just mysite.com ) then the certificate has to be issued as just mysite.com If the site access and the certificate issue is mismatched then the user will see a security warning. Once the certificate is in place the osCommerce force cookie usage session settings in admin can be changed to on. Never again will you see a link that has the osCsid attached. ( presuming the site code is good ). Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.