OsCsid in url : what make it disappear ?

[Havock]

Greetings ladies and gentlemen.

 

I've upgraded my old site to be compliant with PHP 5.4 (I've still some small work to do to make it compliant with PHP 5.5 and 5.6) and Mysql 5.5.

I've installed it to my new server and made a lot of tests. Everything works fine.

 

There is just one thing that bother me. Usually when someone arrives on an oscommerce site,  the OsCsid is shown on the url after the first click on a link, then it disappears after the second click on a link.

On my new site, the OsCsid is shown on the url after the first click on a link, and it stays visible. When the customer logs-in or creates an account, a new OsCsid is shown (my "session recreate" is on true, so it's normal) and then this new OsCsid disappears after a click on a link.

 

So I'm wondering why the behaviour of these two OsCsid are not the same.

 

I'm using the Sessions code of version 2.3.4.

 

My configure.php is as followed (I've removed some infos not useful there) :

define('HTTP_SERVER', 'http://www.toto.com');
define('HTTPS_SERVER', 'https://www.toto.com/');
define('ENABLE_SSL', false);
define('HTTP_COOKIE_DOMAIN', 'www.toto.com');
define('HTTPS_COOKIE_DOMAIN', '');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
...
...
define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
define('DIR_FS_CATALOG',  $_SERVER[DOCUMENT_ROOT]); //
define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download');
define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');
...
...
define('MAX_DISPLAY_FEATURED_PRODUCTS', '20');
...
...

In the admin, all my sessions parameters are on false except the "prevent spider sessions" and "session recreate".

 

If someone has a clue :)

[Jack_mcs]

These changes are needed.

define('HTTP_COOKIE_DOMAIN', '.www.toto.com');
define('HTTPS_COOKIE_DOMAIN', '.www.toto.com'');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');

For the DIR_FS_CATALOG entry, you should use the actual path, like 'home/username/public_html'. But, if not, after $_SERVER[DOCUMENT_ROOT add '/'

[Havock]

Thanks for the reply Jack.

 

Unfortunately I've forgot to paste this line in my quote of my config file :

 

define('STORE_SESSIONS', 'mysqli');

 

So my sessions are stored on my base and the HTTP_COOKIE_DOMAIN and HTTPS_COOKIE_DOMAIN are therefore useless.

 

My $_SERVER[DOCUMENT_ROOT] is something like this : /home/.../.../www.toto.com/

 

so it should be good.

 

My sessions work fine. The weird thing is that the behaviour of the first session (created when the customer arrives on the site) and the behaviour of the second session (created after the customer logs-in or create an account) are not the same (or at least the way the oscsid is handled in the url is not the same before and after login / creation of account).

[Jack_mcs]

Your STORE_SESSIONS setting is incorrect. It should be mysql.  No, your sessions don't work correctly. If they worked correctly they would not be showing as you describe. The reason the session ID shows in the url when it shouldn't is almost always due to the configure file. Once you fix it, the problem should be gone.

[Havock]

Your STORE_SESSIONS setting is incorrect. It should be mysql.

 

Even if for all my database connections I use mysqli ? (I've change mysql to mysqli in the osc files)

[♥14steve14]

I am using the very latest edge version on my store and the store sessions  is

 

define('STORE_SESSIONS', 'mysql');

[Jack_mcs]

@@Havock That's not the purpose of the setting. It is just a text string that the code compares against and it compares with mysql. So having it set to mysqli causes the comparison to fail.

[Havock]

@@14steve14 thanks for the feedback :)

 

@@Jack_mcs

Yes I know

In includes/functions/sessions.php I put :

if (STORE_SESSIONS == 'mysqli') {
function _sess_open($save_path, $session_name) {
....

 instead of :

if (STORE_SESSIONS == 'mysql') {
function _sess_open($save_path, $session_name) {
....

so it should be ok with my config settings (As far as I remember I've not seen another place where this test is made).

 

And thank you too for the feedback :)

[Jack_mcs]

Changing core code for no reason like that is a very bad idea. At some point the sessions file may be updated and if you don't remember your change, the shop will no longer function as you want.

[♥14steve14]

Oscommerce works correctly straight out the box if it is set up correctly. Set it up correctly and there is no need to bodge code to get it to work. Revert all your unnecessary code changes back to as they are in a standard install, and set it up correctly. Get out of the habit of altering core code. Using oscomerce as it is supplied will save other errors becoming apparent in later testing.

 

Many addons now supplied need no core code changes, and they are the ones you should be using. Many of them are easy to install and even easier to activate on the BS community version.

 

You may think that you are getting harsh criticism from some people here, but its for your own good.

[Havock]

Point taken gentlemen :)

 

However I still do not see in which part of the code the inclusion (or rather the disappearance) of the Oscsid  in the url is managed.

[♥kymation]

This path is definitely not correct:  /home/.../.../www.toto.com/

Relative paths cannot be used in osCommerce. That path may work in some places, but it will cause errors in other places. Don't do that. The correct path from the root will look something like this: /home/username/www/

 

Find the correct path for your server and use that in your configure.php.

 

Regards

Jim

[Havock]

Hello Jim, thx for the feedback.

 

This path is definitely not correct:  /home/.../.../www.toto.com/

Relative paths cannot be used in osCommerce. That path may work in some places, but it will cause errors in other places. Don't do that. The correct path from the root will look something like this: /home/username/www/

 

/home/.../.../www.toto.com/ is not the real path :) 

 

I wrote it like that to hide my server informations but I forgot that .. could have meanings when dealing with path. I should have put it like that : /home/somedirectoryname/anotherdirectoryname/www.toto.com/

 

:)

[Jack_mcs]

That is incorrect since the second parameter should be the user name. If you go to the payment section in modules, it shows the correct path there. It might be worth the effort for you to install a new shop in a sub-directory, using its install script or the servers option to install, if present. That should create a properly configured configure file that you can then compare against.

[Havock]

That is incorrect since the second parameter should be the user name. If you go to the payment section in modules, it shows the correct path there. It might be worth the effort for you to install a new shop in a sub-directory, using its install script or the servers option to install, if present. That should create a properly configured configure file that you can then compare against.

 

Thx Jack, but it's correct. The second parameter is my user name, but once again I did not want to put this kind of infos on the net. If you prefer the path is something like this : /home/myusername/anotherdirectoryname/www.toto.com/ :)

 

The site works, the payments work, I just wanted some clarifications.

 

The relevant code is in includes/html_output :

if ( ($add_session_id == true) && ($session_started == true) && (SESSION_FORCE_COOKIE_USE == 'False') ) {
	if (tep_not_null($SID)) {
		$_sid = $SID;
	} elseif ( ( ($request_type == 'NONSSL') && ($connection == 'SSL') && (ENABLE_SSL == true) ) || ( ($request_type == 'SSL') && ($connection == 'NONSSL') ) ) {
		if (HTTP_COOKIE_DOMAIN != HTTPS_COOKIE_DOMAIN) {
			$_sid = tep_session_name() . '=' . tep_session_id();
		}
	}
}
	
if (isset($_sid)) {
	$link .= $separator . tep_output_string($_sid);
}

If the global variable $SID is null, the osCsid value is not passed into the url.

 

In application_top we have :

$SID = (defined('SID') ? SID : '');

So it all comes to the constant SIDbeing empty or not.

 

On this page : http://php.net/manual/en/session.idpassing.php they say :

 

 

Passing the Session ID

......

Alternatively, you can use the constant SID which is defined if the session started. If the client did not send an appropriate session cookie, it has the form session_name=session_id. Otherwise, it expands to an empty string. Thus, you can embed it unconditionally into URLs.

 

So (if I understand correctly) the normal way things should happen is :

The customer comes on the site , the session in created and the OsCsid is included in the links. As no session cookie was sent, the links on the page include the OsCsid parameter.

The customer click on one link and comes to a page with an url including an OsCsid parameter. As a session cookie was sent, the links on the page do not include the OsCsid parameter anymore.

 

 

On my new server site the session cookie is probably not sent, hence the OsCsid parameter still in the links on and after the second page.

When the customer logs-in or create an account we make a tep_session_recreate so a  session_regenerate_id(). On this page : http://php.net/manual/en/function.session-regenerate-id.php they say :

 

 

if session cookies are enabled, use of session_regenerate_id() will also submit a new session cookie with the new session id.

 

So that would explain why the osCsid disappears after loging-in of creating an account.

 

The question seems to be why is the cookie not sent without regenerating session ? So far the only difference I can see between my 2 servers is that on the new one session.use_only_cookies is off

 

Any clue ?

[Jack_mcs]

You are digging way too far into the code for this problem. If you are just curious, that's one thing. But if you are trying to stop the session ID from showing that has been answered. The problem is in your configure file.

[Havock]

But if you are trying to stop the session ID from showing that has been answered. The problem is in your configure file.

 

Tried the suggested changes without result.

 

 

You are digging way too far into the code for this problem.

 

Sorry jack but when something does not work I try to understand why. So I keep on searching.

[Jack_mcs]

I understand and do the same myself. But unless there is something in your code or on the server that is causing this, the problem will most likely end up being in the configure file. The changes needed may not be what I said but that is where you should be concentrating, in my opinion. Installing a new shop using the installer is the best way to see what the file should look like.

[Havock]

Thx Jack but I already tested the configure file. :)

 

The solution is very likely somewhere in my code or in my server configuration (some patch about the session management).

[♥14steve14]

I hope you find what you have done wrong.Just remember what I said earlier. It works straight out the box as long as its set up properly.

[Havock]

I've made a print_r($_COOKIE);  and a echo $SID; on my pages.

 

The normal way things should happen is :

The customer comes on the site. The session in created. As no session cookie was already sent, the links on the page include the OsCsid parameter.

The customer click on one link and comes to a page with an url including an OsCsid parameter. As a session cookie was sent, the links on the page do not include the OsCsid parameter anymore.

 

 

On my server :

The customer comes on the site.

I've got on my page Array ( ) (for the print_r($_COOKIE);) and osCsid=91lgccvhtd3gdpmj6sru6sq6p5 (for the echo $SID;)

The session in created. As no session cookie was already sent, the links on the page include the OsCsid parameter. So far, so good.

 

The customer click on one link and comes to a page with an url including an OsCsid parameter.

I've got on my page Array ( [osCsid] => 91lgccvhtd3gdpmj6sru6sq6p5 ) (for the print_r($_COOKIE);) and osCsid=91lgccvhtd3gdpmj6sru6sq6p5 (for the echo $SID;)

The session cookie has been sent, but SID has not become an empty string (as it should have) , hence the osCsid staying in my url.

 

So it seems that the server configuration is the cause of my small problem.

 

For now (till I discover what's causing this) I'll change the tep_href_link and replace :

if ( ($add_session_id == true) && ($session_started == true) && (SESSION_FORCE_COOKIE_USE == 'False') ) {
		if (tep_not_null($SID)) {
			$_sid = $SID;
		} elseif ( ( ($request_type == 'NONSSL') && ($connection == 'SSL') && (ENABLE_SSL == true) ) || ( ($request_type == 'SSL') && ($connection == 'NONSSL') ) ) {
			if (HTTP_COOKIE_DOMAIN != HTTPS_COOKIE_DOMAIN) {
				$_sid = tep_session_name() . '=' . tep_session_id();
			}
		}
	}

by this :

if ( ($add_session_id == true) && ($session_started == true) && (SESSION_FORCE_COOKIE_USE == 'False') ) {
		if (tep_not_null($SID)) {
			if ((!isset($_COOKIE[osCsid])) OR ($_COOKIE[osCsid] =='')) {
				$_sid = $SID;
			}
		} elseif ( ( ($request_type == 'NONSSL') && ($connection == 'SSL') && (ENABLE_SSL == true) ) || ( ($request_type == 'SSL') && ($connection == 'NONSSL') ) ) {
			if (HTTP_COOKIE_DOMAIN != HTTPS_COOKIE_DOMAIN) {
				$_sid = tep_session_name() . 'TOTO=' . tep_session_id();
			}
		}
	}

If someone has a better idea I'll be interested :)

[Havock]

I hope you find what you have done wrong.Just remember what I said earlier. It works straight out the box as long as its set up properly.

 

Thanks Steve, but sometimes the hosting company may play with server configuration or apply some patches or settings that have some unpredictable effects on the site behaviour, even if the oscommerce configuration is correct. For example, with php 5.4.45 and a server API FPM/FastCGI session_decode can't unserialize sessions anymore :- :- . That's the kind of crap that one discovers when he is already deep in the ***  :x  and that makes for hours of pulling one's hairs  :wacko: