arse_soul Posted July 17, 2003 Share Posted July 17, 2003 this is taken from the security proposal for ms2.2 It is agreed that the session ID has privacy and security related issues when it is attached to the url, so by default osCommerce should be configured to be used only with browsers that have cookies enabled to prevent the session ID from appearing on the url at all. so why with a fresh installation of ms2.2 i still see the osCsid in the address bar??? is there somthing i've missed??? Link to comment Share on other sites More sharing options...
arse_soul Posted July 17, 2003 Author Share Posted July 17, 2003 this has also never been an issue with other previous snapshots of osc that i've used!!! Link to comment Share on other sites More sharing options...
fuzzatonic Posted July 17, 2003 Share Posted July 17, 2003 I am seeing the session ID on the first click and then it goes away after that. I am not sure if that is the way it is supposed to be. It even works like that on the demo store: http://www.oscommerce.com/osCommerce22ms2/ Link to comment Share on other sites More sharing options...
arse_soul Posted July 17, 2003 Author Share Posted July 17, 2003 i see the session id continuously when browsing the store... i checked out the demo site for ms2.2 that you posted and it seems that i do not have a problem with seeing the session id like i do when i test my osc setup on my localhost. but still no idea what is up! it seems that numerous amounts of people are having similar proplems with the new ms2.2 setup! Link to comment Share on other sites More sharing options...
fuzzatonic Posted July 17, 2003 Share Posted July 17, 2003 I am now storing my sessions in the database, but the session id is still appended for the first link, then it disappears after that. I am quickly starting to hate sessions and cookies. I tried storing the cookies as a file and I was getting a session_start(): read error. I have no idea what that means. Probably an error writing the cookie to the server. Link to comment Share on other sites More sharing options...
arse_soul Posted July 18, 2003 Author Share Posted July 18, 2003 i also have a June snapshot of osc set up and that seems to work as the security proposal intended and since ms2.2 was released in early July the session id issuue must have risen between this short space of time! Link to comment Share on other sites More sharing options...
fuzzatonic Posted July 18, 2003 Share Posted July 18, 2003 Maybe I am blind, but I don't seem to have the Session menu in my admin. I looked 10 times under Configuration, but can't find a submenu for sessions. I see My Store, Min/Max, Images, Cust Details, Shipping, Prod List, Stock, Logging, Cache, email, download and zip. I looked under tools as well can can't find it. I have been trying manual edits to the config.php. Do you know if session.auto_start is turned on for your server? I have it turned off and I am wondering if that is the problem. I thought I needed it to be turned off. Link to comment Share on other sites More sharing options...
arse_soul Posted July 18, 2003 Author Share Posted July 18, 2003 your sessions section should be in the configuration bit of the admin.... weird... :? ... what version of osc are you using??? and i checked and currently my session.auto_start is turned off Link to comment Share on other sites More sharing options...
fuzzatonic Posted July 18, 2003 Share Posted July 18, 2003 I down loaded M2, the day after it came out. I had MS1 and had heavily modified it, but I really wanted M2. So I stopped work on MS1 and waited for MS2. The session thing is the whole reason I downloaded MS2. I am now wondering if I should just go back to the old version. I had added the security proposal mods and that seemed to work. I will try through the weekend, and if I can't get this thing working, I will just go back to MS1. Link to comment Share on other sites More sharing options...
arse_soul Posted July 18, 2003 Author Share Posted July 18, 2003 any comments dev. team??? Link to comment Share on other sites More sharing options...
arse_soul Posted July 20, 2003 Author Share Posted July 20, 2003 on further investigation it also seems that live stores running the osc2.2 ms2 setup are also having similar problems. some stores seems to have the sessions working while on other stores the session id is visible constantly!!! but still no reason/solution!!! Link to comment Share on other sites More sharing options...
Guest Posted July 20, 2003 Share Posted July 20, 2003 On my set up the session id is visible on first load and not again after that. I also wonder if it has anything to do with the PHP version? It appears that php 4.2 is messing up my tables and coincidently this mess up also occurs only when the session id is present in the url, so I wonder?? If php 4.2 might be the problem. What version of php are you running on? Link to comment Share on other sites More sharing options...
arse_soul Posted July 20, 2003 Author Share Posted July 20, 2003 i'm currently using PHP version 4.3.1... and yet the session id is constantly visiable in the url!!! Link to comment Share on other sites More sharing options...
arse_soul Posted July 21, 2003 Author Share Posted July 21, 2003 i found that if you use one of the daily snapshots the problem of the session id appearing in the url is no longer there!!! :) rather then if you download from the main ms2.2 section (where i previously did)... jus a thought (although this shouldn't be the case!!!) Link to comment Share on other sites More sharing options...
fuzzatonic Posted July 21, 2003 Share Posted July 21, 2003 I finally figured out my problem over the weekend. I was not seeing the Sessions menu in the Admin tool. I think it was related to my database tables. I did not install the sample stuff. I made a back up of my old db and then had the install do a fresh install of the db. I finally saw the Sessions menu and found all the settings I needed. Hope that helps. Works great now! Link to comment Share on other sites More sharing options...
Guest Posted July 24, 2003 Share Posted July 24, 2003 what types of settings did you change? I just uploaded the latest snapshot and I still get the session id in the url on the first load. It goes away after that. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.