Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

Cookies, SIDs, etc


Recommended Posts

Hello all--


First, thanks to all for making our site (justpillows.com) possible!!!!!! Your input has been invaluable in getting the site up, running and taking orders.


I have a question regarding cookies, sids, etc. and what should be set to what.


In Admin, I have cookies set to false and sid killer for spiders set to true. When I look to see who's online, some have Sids assigned and some don't . Is this normal, or should everyone online have a session id assigned? I can't figure out why some have a session id and some don't.


Should cookies be forced? I've read that this can really mess up AOL users if set to true. We have gotten orders and all my tests carry the products from addition to cart through checkout. But I don't know if I'm losing orders because no session id is set for some people. Hope that makes sense.


Any help in understanding when sids should appear and whether cookie use should be forced is greatly appreciated!


Thank you



Soft, elegant, yet suprisingly affordable

Link to comment
Share on other sites

SID = session ID

Cookie = semi-permanent SID saved on clients computer


In order for the server to identify people and keep them apart we create a session. That session has an unique id that corresponds with a same-name file (or database record) on the server that stores the actual data (like what products etc).


The identifyer for that file, the SID, is handed out to the client on every request he makes to the server.

The server TRIES to set a cookie containing the SID on the client, and if the client refuses (ie doesn't accept cookies) the server will keep adding the SID to any link (at least in osCommerce that is).

If the client accepts the cookie his/her browser will hand back the cookie to the server on every request, so the server knows who's who and can hand out 'clean links' instead of the ones with the session added.


When you visit for the first time your initial session will be appended to the links (and is visible in your browser) On the next click you've either accepted the cookie (which mean no more VISIBLE session) or not.


Not accepting the cookie will result in the SID being visible on the browser and has some ( by default, not specifically osC) security issues with it. Like when you copy paste the link WITH the SID and post it somewhere - anyone clicking the link within a certain timeframe would be able to impersonate you - and would be logged in to your account automatically.


So to prevent that you can set FORCE COOKIES - which means you can NOT shop unless you use cookies. But you can also strenghten the security issues that sessions have by default a bit by checking things like IP address and User Agent (what kind of browser / version) osCommerce will check those too - if they don't match it assumes you're not the correct person and will kill the session.


Sessions auto expire after a set time.


SID killer attempts to recognise spiders, bots and crawlers (robots for search engines) and gives them a session FREE page as you would not like to have listings with none-existent (or worse, existing) session IDs added to the link.




"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...