♥FWR Media Posted January 31, 2011 Share Posted January 31, 2011 Many of you would have seen this post: - What is the osCsid & why you must not loose it. The title of this topic is very similar on purpose, partly humorous but also because the subject matter is related. The reason I am starting this topic is that I recently saw an experienced and respected forum member give the following advice to a "low experience" user: - Force cookies should not be used so you are correct in having it off. I see this as dangerous or at least bad advice. There is no place in this day and age for the session to be carried via the querystring, it is a significant security hazard allowing such hack vectors as session riding etc. Some dangers are: - Hackers hijacking sessions. Customers logging in as each other and seeing each others private details. Customers copying links which have the session attached then posting the link on the web. ( leading to all sorts of problems including the above ). By forcing cookie usage you are ensuring that your shop is far more secure for your customers. Forcing cookie usage should be the standard with querystring based sessions only used by those who CAN'T force cookie usage. There are no drawbacks to setting up a shop in this way only positives. What about customers who have cookies off? Quite simply you cannot shop these days with cookies off. Virtually none of the big shops work if you have this setting, try adding to cart in Amazon.com and you'll get "Please Enable Cookies in your Web Browser to Continue.". Why? because it is insecure to have the session carried via the querystring. If one of your customers attempts to purchase with cookies set to off in their browser then they will no doubt be used to not being able to buy anything on the web. Who can't force cookie usage? Those who are on cheap hosting with cheap ( not full ) shared SSL certificates cannot force cookie usage. In these cases the session has to be carried in the querystring but this should be changed to force cookies just as soon as the shop can afford it. A small note on setting this up correctly: - If you have to have the session id in the querystring it is imperative that it is set up correctly. In admin>Configuration>Sessions Force Cookie Use must be false and Recreate Session must be true. Persistent osCsid: Installations with incorrectly set up configuration files may have a persistent osCsid ( the osCsid is ALWAYS attached to the querystring ) this is very dangerous and can be solved simply by setting up the configure files correctly. Don't use the "hide the osCsid" contributions as they do more harm than good. How do I tell if it is set up correctly? Close all browsers then open a new one visiting the front of your shop. If you hover over the links you will see the osCsid attached to all URLs. Now refresh the page and hover the links, the osCsid should be gone, if it isn't then your settings are incorrect and you have the very dangerous situation of persistent session id in the querystring. What are the required settings to force cookie usage? A full ( not shared ) SSL certificate that has been issued using the same domain as the site is accessed. Example: - If the shop is accessed as www.mysite.com then the certificate has to issued to www.mysite.com If the shop is accessed without the www ( just mysite.com ) then the certificate has to be issued as just mysite.com If the site access and the certificate issue is mismatched then the user will see a security warning. Once the certificate is in place the osCommerce force cookie usage session settings in admin can be changed to on. Never again will you see a link that has the osCsid attached. ( presuming the site code is good ). Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Xpajun Posted January 31, 2011 Share Posted January 31, 2011 Example: - If the shop is accessed as www.mysite.com then the certificate has to issued to www.mysite.com If the shop is accessed without the www ( just mysite.com ) then the certificate has to be issued as just mysite.com If the site access and the certificate issue is mismatched then the user will see a security warning. Robert, When I initially had my SSL certificate set up, my hosting company informed me that it didn't matter whether the www. was there or not, it would work correctly. I have to say that it seems to have... My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 31, 2011 Author Share Posted January 31, 2011 Robert, When I initially had my SSL certificate set up, my hosting company informed me that it didn't matter whether the www. was there or not, it would work correctly. I have to say that it seems to have... Maybe it was a wildcard certificate? My experiance was that many years ago I had trouble with this where the client bought an SSL cert as www.mysite.com and then set up shop access as just mysite.com. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
spoofy Posted January 31, 2011 Share Posted January 31, 2011 I have had a similar argument not too long ago. In addition to Amazon, you can try a lot of other stores I used in my examples: Target.com, BestBuy.com, BlueFly.com, Zappos.com, Walmart.com Julian: You were probably setup on a wildcard SSL. Regular SSL will only work on the domain name it was issued for. My Contributions: Google XML Sitemap SEO compatible with Ultimate SEO URL by FWR Media ::: Accurate & Precise Bread Crumb Trail Link to comment Share on other sites More sharing options...
♥toyicebear Posted January 31, 2011 Share Posted January 31, 2011 Actually some of the ssl certificate providers now gives you both with and without www included at no extra cost, so check around before purchasing a new SSL certificate. Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To To see what more i can do for you check out my profile [click here] Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 31, 2011 Author Share Posted January 31, 2011 Actually some of the ssl certificate providers now gives you both with and without www included at no extra cost, so check around before purchasing a new SSL certificate. Yes, good point Nick. I have just looked into this and some do offer both. Ah well my original point still stands but users with this type of cert simply don't need to worry about it. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
ErikMM Posted January 31, 2011 Share Posted January 31, 2011 Thank you Robert! + I did as instructed, but RE: "How do I tell if it is set up correctly?," it appears I am set up incorrectly. What do I do to "set up the configure files correctly"? a-how-to-road-map 2.3.x road-map-for-the-newbies design basics how to make a horrible osC site ssl-how to updated-security-thread Web Developer, Firebug, and Notepad++ are powerful free tools for web design. Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 31, 2011 Author Share Posted January 31, 2011 Thank you Robert! + I did as instructed, but RE: "How do I tell if it is set up correctly?," it appears I am set up incorrectly. What do I do to "set up the configure files correctly"? Where are your files located on the server? In the root ( site is accessed like www.mysite.com/ Or in a directory ( site is accessed like www.mysite.com/shop/ ) Also is your shop accessed using the www or without? Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
ErikMM Posted January 31, 2011 Share Posted January 31, 2011 Where are your files located on the server? In the root ( site is accessed like www.mysite.com/ Or in a directory ( site is accessed like www.mysite.com/shop/ ) Also is your shop accessed using the www or without? For now it is in a directory. I am going to change it to the root as soon as I go live/start selling. No "www." a-how-to-road-map 2.3.x road-map-for-the-newbies design basics how to make a horrible osC site ssl-how to updated-security-thread Web Developer, Firebug, and Notepad++ are powerful free tools for web design. Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 31, 2011 Author Share Posted January 31, 2011 For now it is in a directory. I am going to change it to the root as soon as I go live/start selling. No "www." Ok well firstly I'd recommend that you have your domain prefixed with www. but anyway: - catalog/includes/configure.php The below assumes: - Your domain is mysite.com You do not have SSL enabled The directory that you have installed the site into is named shop define('HTTP_SERVER', 'http://mysite.com'); define('HTTPS_SERVER', 'http://mysite.com'); define('ENABLE_SSL', false); define('HTTP_COOKIE_DOMAIN', '.mysite.com'); define('HTTPS_COOKIE_DOMAIN', '.mysite.com'); define('HTTP_COOKIE_PATH', '/shop/'); define('HTTPS_COOKIE_PATH', '/shop/'); define('DIR_WS_HTTP_CATALOG', '/shop/'); define('DIR_WS_HTTPS_CATALOG', '/shop/'); Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
rwest Posted January 31, 2011 Share Posted January 31, 2011 Hi FWR Media, I turned Force Cookie Usage to on, and I started getting the message You must have cookies enabled in your browser. I am using Firefox, and I do have cookies enabled. I have been searching for others with this problem, and I have found several, but no fixes. Can you help? Thanks, Ron Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 31, 2011 Author Share Posted January 31, 2011 Hi FWR Media, I turned Force Cookie Usage to on, and I started getting the message You must have cookies enabled in your browser. I am using Firefox, and I do have cookies enabled. I have been searching for others with this problem, and I have found several, but no fixes. Can you help? Thanks, Ron The SSL certificate has to be correct and the configure files have to be correct. I can't really help without seeing the site. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
rwest Posted January 31, 2011 Share Posted January 31, 2011 As I couldn't get either my test site nor my production site to let me login, I'd like to get my test site working first. My site is in a directory, and is accessed via www.mysite.com/test My SSL cert is built on www.mysite.com My catalog/includes/configure.php: define('HTTP_SERVER', 'http://www.mysite.com/test'); define('HTTPS_SERVER', 'https://www.mysite/test'); define('ENABLE_SSL', true); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'www.mysite.com/test'); define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com/test'); define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/'); Ron Link to comment Share on other sites More sharing options...
rwest Posted February 1, 2011 Share Posted February 1, 2011 Ok, I used your post above as a model to make the following changes, which now seems to be working. -thanks define('HTTP_SERVER', 'http://www.mysite.com'); define('HTTPS_SERVER', 'https://www.mysite.com'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', 'www.mysite.com'); define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com'); define('HTTP_COOKIE_PATH', '/test/'); define('HTTPS_COOKIE_PATH', '/test/'); define('DIR_WS_HTTP_CATALOG', '/test/'); define('DIR_WS_HTTPS_CATALOG', '/test/'); As I couldn't get either my test site nor my production site to let me login, I'd like to get my test site working first. My site is in a directory, and is accessed via www.mysite.com/test My SSL cert is built on www.mysite.com My catalog/includes/configure.php: define('HTTP_SERVER', 'http://www.mysite.com/test'); define('HTTPS_SERVER', 'https://www.mysite/test'); define('ENABLE_SSL', true); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'www.mysite.com/test'); define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com/test'); define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/'); Ron Link to comment Share on other sites More sharing options...
ErikMM Posted February 1, 2011 Share Posted February 1, 2011 Ok well firstly I'd recommend that you have your domain prefixed with www. but anyway: - catalog/includes/configure.php The below assumes: - Your domain is mysite.com You do not have SSL enabled The directory that you have installed the site into is named shop define('HTTP_SERVER', 'http://mysite.com'); define('HTTPS_SERVER', 'http://mysite.com'); define('ENABLE_SSL', false); define('HTTP_COOKIE_DOMAIN', '.mysite.com'); define('HTTPS_COOKIE_DOMAIN', '.mysite.com'); define('HTTP_COOKIE_PATH', '/shop/'); define('HTTPS_COOKIE_PATH', '/shop/'); define('DIR_WS_HTTP_CATALOG', '/shop/'); define('DIR_WS_HTTPS_CATALOG', '/shop/'); I do have SSL so I did the above, but changed ENABLE_SSL to true. I also added www @ define('HTTP_SERVER', 'http://mysite.com'); define('HTTPS_SERVER', 'http://mysite.com'); but nothing changed at the site....still have no www, and persistent osCsid. a-how-to-road-map 2.3.x road-map-for-the-newbies design basics how to make a horrible osC site ssl-how to updated-security-thread Web Developer, Firebug, and Notepad++ are powerful free tools for web design. Link to comment Share on other sites More sharing options...
pdcelec Posted February 1, 2011 Share Posted February 1, 2011 I do have SSL so I did the above, but changed ENABLE_SSL to true. I also added www @ define('HTTP_SERVER', 'http://mysite.com'); define('HTTPS_SERVER', 'http://mysite.com'); but nothing changed at the site....still have no www, and persistent osCsid. define('HTTP_SERVER', 'http://mysite.com'); define('HTTPS_SERVER', 'https://mysite.com'); Link to comment Share on other sites More sharing options...
ErikMM Posted February 1, 2011 Share Posted February 1, 2011 define('HTTP_SERVER', 'http://mysite.com'); define('HTTPS_SERVER', 'https://mysite.com'); I did have the "S." SSL seems to be fine, and www is now working/there, but the oCsid is still persistent. a-how-to-road-map 2.3.x road-map-for-the-newbies design basics how to make a horrible osC site ssl-how to updated-security-thread Web Developer, Firebug, and Notepad++ are powerful free tools for web design. Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 1, 2011 Author Share Posted February 1, 2011 I did have the "S." SSL seems to be fine, and www is now working/there, but the oCsid is still persistent. Post the first 9 lines of the configure file as given in my posts above, also what is the directory where the shop is installed? Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
ErikMM Posted February 1, 2011 Share Posted February 1, 2011 Post the first 9 lines of the configure file as given in my posts above, also what is the directory where the shop is installed? 1.define('HTTP_SERVER', 'http://www.mysite.com'); define('HTTPS_SERVER', 'https://www.mysite.com'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', '.mysite.com'); define('HTTPS_COOKIE_DOMAIN', '.mysite.com'); define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', '/catalog/'); define('DIR_WS_HTTP_CATALOG', '/catalog/'); define('DIR_WS_HTTPS_CATALOG', '/catalog/'); 2. mysite.com/catalog a-how-to-road-map 2.3.x road-map-for-the-newbies design basics how to make a horrible osC site ssl-how to updated-security-thread Web Developer, Firebug, and Notepad++ are powerful free tools for web design. Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 1, 2011 Author Share Posted February 1, 2011 1.define('HTTP_SERVER', 'http://www.mysite.com'); define('HTTPS_SERVER', 'https://www.mysite.com'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', '.mysite.com'); define('HTTPS_COOKIE_DOMAIN', '.mysite.com'); define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', '/catalog/'); define('DIR_WS_HTTP_CATALOG', '/catalog/'); define('DIR_WS_HTTPS_CATALOG', '/catalog/'); 2. mysite.com/catalog Strange .. that is perfect .. could you PM me a link to the site please? Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 2, 2011 Author Share Posted February 2, 2011 @erikMM I checked your site there is nothing wrong with it. On first load the osCsid is present, refresh and it is gone, this is standard operation. The only way to get rid of the osCsid totally is forcing cookie use. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥Biancoblu Posted February 2, 2011 Share Posted February 2, 2011 Thank you for this interesting topic. I recognize myself in the "low experienced user advised to keep force cookie usage set to off". I have a question about my site...you say: How do I tell if it is set up correctly? Close all browsers then open a new one visiting the front of your shop. If you hover over the links you will see the osCsid attached to all URLs. Now refresh the page and hover the links, the osCsid should be gone, if it isn't then your settings are incorrect and you have the very dangerous situation of persistent session id in the querystring. My shop behaves like this, ie when I hover on the links I have the osCid in all urls, when I refresh and hover again, they're gone. However these are my settings: force cookie use: false recreate session: false If I set force cookie use to true, I lose the osCid completely. I have a private SSL set up for www.mysite.com, which is the address my shop is accessed from, and my config file is like this: define('HTTP_SERVER', 'http://www.mysite.com'); define('HTTPS_SERVER', 'https://www.mysite.com'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', '.mysite.com'); define('HTTPS_COOKIE_DOMAIN', '.mysite.com'); define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/'); define('DIR_WS_HTTP_CATALOG', '/'); define('DIR_WS_HTTPS_CATALOG', '/'); Are there errors anywhere? and what about the fact that I have force cookie use set to off and the shop still behaves they way you say it should? ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 2, 2011 Author Share Posted February 2, 2011 Thank you for this interesting topic. I recognize myself in the "low experienced user advised to keep force cookie usage set to off". I have a question about my site...you say: My shop behaves like this, ie when I hover on the links I have the osCid in all urls, when I refresh and hover again, they're gone. However these are my settings: force cookie use: false recreate session: false If I set force cookie use to true, I lose the osCid completely. Sounds like your shop is working perfectly and when you set force cookie use to true you should never see the osCsid in the url. Are there errors anywhere? and what about the fact that I have force cookie use set to off and the shop still behaves they way you say it should? All looks fine to me, if the shop all works perfectly with force cookie use set to true then I'd leave it like that. A good test is when changing from NON SSL to SSL .. like .. 1) Make sure you are logged out then add a product to cart. 2) Log in as a customer ( you should now be on SSL ) 3) Check that the cart still contains its contents. If the cart is correct then all seems to be working. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥Biancoblu Posted February 2, 2011 Share Posted February 2, 2011 Thank you for replying. All looks fine to me, if the shop all works perfectly with force cookie use set to true then I'd leave it like that. you meant to say force cookie set to false, right? which is how mine is set, just making sure I understand. 1) Make sure you are logged out then add a product to cart. 2) Log in as a customer ( you should now be on SSL ) 3) Check that the cart still contains its contents. I tried and yes it works exactly like that. So what is the reason behind the fact that sometimes it works fine with force cookie use set to false, and sometimes not? ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 2, 2011 Author Share Posted February 2, 2011 So what is the reason behind the fact that sometimes it works fine with force cookie use set to false, and sometimes not? I haven't seen you describe this. Could you explain to me exactly what happens when sometimes it doesn't work fine. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.