Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Sessions in tep_href_link

Thelostfleet

By Thelostfleet
in General Support

Recommended Posts

Thelostfleet

Thelostfleet

Posted
Posted

Greetings community.

 

After reading this post http://www.oscommerce.com/forums/topic/330479-what-is-the-oscsid-why-you-must-not-loose-it I still have several things I do not understand.

 

They said :

 

 

osC keeps the users sid between pages through use of the tep_href_link function, so all links must use tep_href_link to ensure the sid remains, you can circumvent this issue with 'Force Cookie Use' where since the sid is stored within the cookie if it is lost through any 'bad' code it can be picked up from there again.

 

So it seems that if one does not use cookies to store sessions, but store them on the database, the links must contain an osCsid.

 

However they also said :

Your osCsid should only be visible in the querystring for one click .. after that it should be gone

If you close ALL of your browser windows then go to your site.

Hover over any link and you will see in the bottom bar that the link has an osCsid appended to it.

If you then click that link then once again hover over a link when the page reloads the link should now be free of any osCsid.

And here I don't undersatnd.

 

The links must contain Oscsid, but after the first click they must be gone ? It seems incompatible !!  (I know it works but I do not understand why)

 

 

Another thing I do not really understand (Yes there are a lot of things I do not understand :D  ) is the tep_href_link function.

// Add the session ID when moving from different HTTP and HTTPS servers, or when SID is defined
	if ( ($add_session_id == true) && ($session_started == true) && (SESSION_FORCE_COOKIE_USE == 'False') ) {
		if (tep_not_null($SID)) {
			$_sid = $SID;
		} elseif ( ( ($request_type == 'NONSSL') && ($connection == 'SSL') && (ENABLE_SSL == true) ) || ( ($request_type == 'SSL') && ($connection == 'NONSSL') ) ) {
			if (HTTP_COOKIE_DOMAIN != HTTPS_COOKIE_DOMAIN) {
				$_sid = tep_session_name() . '=' . tep_session_id();
			}
		}
	}
	if (isset($_sid)) {
		$link .= $separator . tep_output_string($_sid);
	}

As long as $SID is not null (so before the first click) it adds  an Oscsid in the links urls ; then (after the first click) it does not adds it anymore. This is normal behaviour and coherent with what they said. But what I do not see is why we have to use tep_href_link to make links. I would understand if they always automatically include sessions_id, but that's not the case.

 

 

Can someone explain this to me ? I must have missed something very big (that would not be the first time :rolleyes:  ) ?

 

Many thanks.

 

kymation

♥kymation

Posted
Posted

How this normally works:

  1. Customer lands on any page for the first time. The osCommerce code assigns a random SID and tries to set a cookie using that SID. It also adds that SID to all links on that page. This latter part is done by the tep_href_link() function.
  2. Customer clicks on a link and is taken to a different page. The osCommerce code tries to retrieve the cookie previously set. If successful, it compares the SID in the cookie to lthe SID stored in the link. If they match, it considers the cookie successfully set and uses the cookie therafter. If the values do not match or no cookie is returned, the code considers the cookie to have failed and continues to set the SID in all links and uses that SID instead of the cookie.

How this can go wrong:

  • If the link the customer clicked on in #2 above was not created by the tep_href_link() function, the cookie is assumed to have failed and the SID is lost. Session is lost at that time and must be reestablished. The customer may have session-related problems, including loss of items in their cart. If the link was to an external site, the process may start over when the customer clicks back.
  • If the cookie is not valid for whatever reason, osCommerce will continue to use the SID set in the URL. If the customer clicks on any link after that point that doesn't contain that SID, session is lost, cart is lost, etc.
  • If your site uses SSL, and it should, then you could have different cookies for the secure and non-secure parts. If this happens, the transfer between the two can cause loss of session if not done properly.
  • Cookies can fail for many reasons. The browser may be set to not accept cookies (rare), or the cookie may become corrupted, or the server or osCommerce may be configured incorrectly. This doesn't happen very often, but it does happen.

That's the best of my memory dump. Ask more questions if you don't understand.

 

Regards

Jim

See my profile for a list of my addons and ways to get support.

Thelostfleet

Thelostfleet

Posted
  • Author
Posted

Many thanks Jim that was a great answer :)

 

Just another point to see on this subject. it's about the cookie and the SESSION_FORCE_COOKIE_USE parameter.

 

If I understand correctly :

 

With SESSION_FORCE_COOKIE_USE set to 'true' :

- The session.use_only_cookies is set to 1. 

- On the first landing page a cookie_test is sent to make sure that the customer browser accepts cookies. The server also sends a cookie that will store all the session informations.

- The tep_href_link function is prevented to pass Oscsid in the url.

 

 

With SESSION_FORCE_COOKIE_USE set to 'false' :

- On the first landing page the server sends a cookie named osCsid.and it's this cookie value that is compared to the osCsid of the links.

- If the osCsid cookie is correctly set, the tep_href_link function is prevented to pass Oscsid in the url. The sessions informations are stored on the database, and the osCsid cookie is used to allow the reading, writing, ... of the sessions datas on the database.

- If the the osCsid cookie is not correctly set, the tep_href_link function is set to pass Oscsid in the url. The sessions informations are stored on the database, and the osCsid value in the url is used to allow the reading, writing, ... of the sessions datas on the database.

 

Is that correct ?

 

P.S. : I did not understand before you explained it to me because I thought that with SESSION_FORCE_COOKIE_USE set to 'true', no cookies were used at all.

kymation

♥kymation

Posted
Posted

@@Thelostfleet  You're close. It's not possible to set a cookie and read that cookie in the same operation, so the code still has to wait for the customer to click on a link to get the cookie back. So if you have SESSION_FORCE_COOKIE_USE set to 'true' and the cookie fails for whatever reason, on that second request osCommerce redirects to cookie_usage.php and refuses to proceed.

 

Everything else you've said is correct.

 

Regards

Jim

See my profile for a list of my addons and ways to get support.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...