How can I get the osCsid out of the address bar?

[Urbluffingme]

I was wondering if anybody steer me in the right direction to get the session id out of the address bar.

[wizardsandwars]

IN the admin, you can 'force cookie use'

[Urbluffingme]

Is that the only way it is possible. That way, you are telling anyone who doesn't have cookies enabled that they can't buy from you, unless they enable them.

[wizardsandwars]

Well, AFAIK, there are only 2 ways to keep of what the person has in their cart and things.

 

One way is to do it with a session ID in the URL

The other way is with a cookie.

 

If you remove the session IDs, and you don't force cookies, then people that don't allow cookies will still not be able to purchase.

[Urbluffingme]

What is the best way to go? Any idea of the webstats, as far as how many users disable cookies?

[SunYe]

Mostly the web application use session ID in the URL. You can reference some business application.

[user99999999]

Hi

 

I think it goes like this.

 

If you accept cookies then the SID should disapear from the URL.

 

If you block cookies then you will have SID's in the URL and yo can checkout.

 

If Force Cookies = True then SID's in the URL will not be accepted for checkout.

 

The main problem with SID's in the URL is I can add somthing to my cart and then email you a link with SID and you can open my cart and etc.

 

@Urbluffingme

Yor store is not sending cookies maybe you put http:// in your cookie domain.

 

Things to check.

 

OSC MS2

 

catalog/includes/configure.php

define('HTTP_COOKIE_DOMAIN', 'www.mystore.com');

define('HTTPS_COOKIE_DOMAIN', 'www.mystore.com');

define('HTTP_COOKIE_PATH', 'catalog/');

define('HTTPS_COOKIE_PATH', 'catalog/');

 

OSC seems to overide the PHP settings but you can check them to.

 

Tools/Server Info

PHP4 with --enable-trans-sid

session.use_cookies On

session.use_trans_sid On

 

You can change the PHP settings in .htaccess or php.ini

 

Dave...

[Urbluffingme]

How can I tell if my store is sending cookies? I fixed the cookie domain in configure.php and I am forcing cookies in admin. As long as we are sort of on the subject of security, what other security issues should I be aware of when using oscommerce?

[Urbluffingme]

It seems my https cookie domain is off somewhere. It uses cookies to keep track of cart contents. But as soon as I hit a secure page, it dumps the cart. Here is my configure.php:

 define('HTTP_SERVER', 'http://www.napeconow.com'); // eg, http://localhost - should not be empty for productive servers
?define('HTTPS_SERVER', 'https://host38.ipowerweb.com/~napecono'); // eg, https://localhost - should not be empty for productive servers
?define('ENABLE_SSL',true); // secure webserver for checkout procedure?
?define('HTTP_COOKIE_DOMAIN', 'www.napeconow.com');
?define('HTTPS_COOKIE_DOMAIN', 'https://host38.ipowerweb.com/~napecono');
?define('HTTP_COOKIE_PATH', '/');
?define('HTTPS_COOKIE_PATH', '/');
?define('DIR_WS_HTTP_CATALOG', '/');
?define('DIR_WS_HTTPS_CATALOG', '/');

 

I am getting a dedicated ssl cert very soon. But for now, I have to make this one work. I just have slashes because I don't have a catalog folder.

[Urbluffingme]

Also, I can change the https cookie domain and https cookie path to whatever I want, and it doesnt change the way the page behaves at all. this sort of puzzles me.

[user99999999]

Hi,

 

The COOKIE_DOMAIN should not have 'https://'

 

define('HTTPS_COOKIE_DOMAIN', 'https://host38.ipowerweb.com/~napecono');

 

 

define('HTTPS_COOKIE_DOMAIN', 'host38.ipowerweb.com/~napecono');

 

Plus look into getting your own SSL cert because that URL will scare all your costomers away.

 

Dave...

[user99999999]

How can I tell if my store is sending cookies? I fixed the cookie domain in configure.php and I am forcing cookies in admin. As long as we are sort of on the subject of security, what other security issues should I be aware of when using oscommerce?

 

Its in privacy settings, change it to promt you, then you can see all the details.

 

 

Change Force Cookies to False that is wrong info given...