Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

sids when shared SSL turned on


Guest

Recommended Posts

Check the cookie domains in your config file.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

Not sure what your question is.

 

If you are aksing if you are supposed to have SIDs in your URL, then the answer is yes, if you do not have 'force cookie useage' set to true, then your cart will use the SIDs in the URL to keep track of the session.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

If you are aksing if you are supposed to have SIDs in your URL, then the answer is yes, if you do not have 'force cookie useage' set to true, then your cart will use the SIDs in the URL to keep track of the session.

Nope. The sid should disappear after a successful connection to the ssl sever.

 

That's to say it will appear at first then disappear.

 

BTW: The site is having the 1&1 shared ssl problem (no padlock).

 

Here's a thread on how to fix that: http://www.oscommerce.com/forums/index.php?showtopic=72486&st=0

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

sorry i don't know why the sid in the link is gone, anyway i post it again:

 

/kayukayuhome.com/catalog/index.php?sCsid=bd136f62d6f1ebd4f4d9f71c054d26

 

So, that's the link with the sid.

 

But, i think wizardandwar has already asnwered my question, which is: NORMAL to have a sid.

 

Now my question: Is this sid also occur if i use dedicated SSL?

- Why is this normal, i thought this is supposed to be a security risk?

 

Thanks again

Link to comment
Share on other sites

If you are aksing if you are supposed to have SIDs in your URL, then the answer is yes, if you do not have 'force cookie useage' set to true, then your cart will use the SIDs in the URL to keep track of the session.

Nope. The sid should disappear after a successful connection to the ssl sever.

 

That's to say it will appear at first then disappear.

 

BTW: The site is having the 1&1 shared ssl problem (no padlock).

 

Here's a thread on how to fix that: http://www.oscommerce.com/forums/index.php?showtopic=72486&st=0

Umm, how is the cart supposed to track a session if the browser doesn't accept cookies, and the customer hasn't logged in yet?

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

SID in the URL is a bit of a security risk, in that sometime two customers purchasing at the exact same time could accidentally get each others session IDs, and could then potentially see each others information.

 

The way to allieviate this is to set 'Force cookie use' in the admin to true. This will require that all customers have cookies enabled on their browser in order to complete a purchase, or even put an itme in their cart.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

SID in the URL is a bit of a security risk, in that sometime two customers purchasing at the exact same time could accidentally get each others session IDs, and could then potentially see each others information.

 

The way to allieviate this is to set 'Force cookie use' in the admin to true. This will require that all customers have cookies enabled on their browser in order to complete a purchase, or even put an itme in their cart.

Once again, not so.

 

Once osC determines that it can set a cookie it will do so even if force cookie use is off.

 

Once it sets the cookie(s) the sid disappears. You can check this out by visiting any of a number of sites. If your site is not working like this you have something wrong.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

Alan, you are completly misunderstnading.

 

If the customers browser does not allow cookies to be set on their pc, then the SID is suppoed to be in the URL.

 

Of course you are not supposed to have the SID in your URL if your PC accept cookies, and I already checked, and his side does not insert SIDs if your browser accepts cookies.

 

I'd appreciate if you knew what the hell you were talking about before you go around correcting people.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

I'd appreciate if you knew what the hell you were talking about before you go around correcting people.

Re-read your own posts before you start a rant.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

Just did.

 

Every thing I mentioned appears to be 100% accurate.

 

If you do not have 'Force Cookie Usage' set to true, then customers that have browsers that do not allow you to set cookies on their PCs will have SIDs in the URL on many pages, including SSL pages.

 

What *you* said was that the SIDs should always go away once you hit the SSL page, which is obviously false.

 

You also repetedly indicated that *I* was wrong for providing the obviously correct answer to his question.

 

Now that I've pointed out the error in your logic, would you care to qualify the misinformation you are giving these poor guys?

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Guys i am still confused:

 

My force set cookie usage is "false", then i make sure my IE browser accepts all cookies, then according to wizard i should not have any SID right? Well, the SID still there and no padlock sign.

 

If i set my IE browser Not to accept cookies, is the same thing: Sid is there and also No padlock sign.

 

The weird thing, if I use My AOL browser:

Then there is no SID, plus the padlock is there.

 

 

Guys what the problem here? Is it because the Shared SSL of 1and1.com is not compatible with IE browser. BTW is version 6.0

 

Help me out guys!

Link to comment
Share on other sites

If your browser accepts cookies, then you should not see SIDs in the URLS, other than on the very first page.

 

Browsing around on your site, I do not get SIDs, and my browser accpets cookies.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

i check 2 times just to make sure still the same thing. Browser accept all cookies.

 

For AOL browser no problem, no sid and pad is there.

 

But for IE: well there is SID and No padlock sign.

 

Help, Iam getting nuts man.

 

Also when i go to admin, my admin still says "not protected by SSL"

 

Thanks,

Link to comment
Share on other sites

i check 2 times just to make sure still the same thing. Browser accept all cookies.

 

For AOL browser no problem, no sid and pad is there.

 

But for IE: well there is SID and No padlock sign.

 

Help, Iam getting nuts man.

 

Also when i go to admin, my admin still says "not protected by SSL"

 

Thanks,

I gave you the link which shows how to solve your problem on the first page of this thread.

 

You're on a 1&1 server and you're using shared ssl. Read the thread and you'll find a solution.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

So could some third party intervene and tell us which response is correct? AlanR or Wizardsandwars?

 

They both bring up interesting points. I'm not on 1and1, but I'm curious to know because I've had problems with two customers seeing each others information at checkout.

 

Also, won't 'force cookie use' be a problem for AOL users, or is that one of the two settings that can be set to 'true?'

 

Cheers.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...