Cookies and Sessions

[♥Vger]

Okay, so as I understand it, if you force cookie use, sessions should only be used if cookies are not enabled on the users browser. The problem is that according to osCommerce no one ever has cookies enabled on their browser ...ever! I've done multiple searches of this forum and the only comment that made any sense was that the cookie pathway might be wrong. Well, here goes. My install is in the root directory (eg www.mydomain.com), cookie path is set to '/' - is this wrong? I've tried '/var/www/html/ etc. but it never makes any difference - the moment I click on a link to go somewhere I end up on the cookie_usage.php page. Does this feature work? Or is it a bug, and I've been wasting my time trying to get it to work?

 

The reason I have been trying to get it work is that colleagues of mine who use osCommerce have reported that if you have two users online at the same time it is possible for their sessions to get mixed up and for user A to end up in the account area of user B.

 

Any help would be appreciated.

 

Vger

[Aziz]

Second answer ... no it is 100% impossible for sessions to get mixed up....

Can your telephone number get mixed up with somebody's else????

 

Sessions are stored on the server side, each one is given a "unique" id that is associated with the system's ip and that specific computer hardcored connetion.

 

Now to the settings this should work (sample site):

define('HTTP_SERVER', 'http://www.sample.com'); // eg, [URL=http://localhost]http://localhost[/URL] - should not be empty for productive servers
 define('HTTPS_SERVER', ''); // eg, [URL=https://localhost]https://localhost[/URL] - should not be empty for productive servers
 define('ENABLE_SSL', false); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'localhost');
 define('HTTPS_COOKIE_DOMAIN', '');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '');
 define('DIR_WS_HTTP_CATALOG', '/');
 define('DIR_WS_HTTPS_CATALOG', '');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', 'http://www.rmitc.com/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

[211655]

i have same issue. its happening with me that user a mixed up with b.

see all my codes here..

http://www.oscommerce.com/forums/index.php?showtopic=93663

plz help

[♥Vger]

Second answer ... no it is 100% impossible for sessions to get mixed up....

Can your telephone number get mixed up with somebody's else????

 

Sessions are stored on the server side, each one is given a "unique" id that is associated with the system's ip and that specific computer hardcored connetion.

 

Now to the settings this should work (sample site):

define('HTTP_SERVER', 'http://www.sample.com'); // eg, [URL=http://localhost]http://localhost[/URL] - should not be empty for productive servers
?define('HTTPS_SERVER', ''); // eg, [URL=https://localhost]https://localhost[/URL] - should not be empty for productive servers
?define('ENABLE_SSL', false); // secure webserver for checkout procedure?
?define('HTTP_COOKIE_DOMAIN', 'localhost');
?define('HTTPS_COOKIE_DOMAIN', '');
?define('HTTP_COOKIE_PATH', '/');
?define('HTTPS_COOKIE_PATH', '');
?define('DIR_WS_HTTP_CATALOG', '/');
?define('DIR_WS_HTTPS_CATALOG', '');
?define('DIR_WS_IMAGES', 'images/');
?define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
?define('DIR_WS_INCLUDES', 'includes/');
?define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
?define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
?define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
?define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
?define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

?define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
?define('DIR_FS_CATALOG', 'http://www.rmitc.com/');
?define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
?define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

No, that doesn't work. Tried it, and all variations of it hundreds of times. I think that the 'force cookie use' feature of osCommerce simply does not work - no matter what you do. I have yet to see a post on this forum from anyone who has managed to get it to work.

 

Vger

[perpetual-burn]

Force cookies worked for me when I was gettning the cookie page.

I put prevent spider sessions and force cookies to true and it solved the problem for me.

[♥Vger]

I only get the 'cookie_usage.php' page when I set force cookie use to 'true'. Are you using file based sessions or mysql based sessions, because I think this makes the difference between 'force cookie use' working and not working e.g. works with file session storage to a tmp directory, but not if session data is stored in mysql.

 

Vger

[rerbe]

The above worked great for me, I have been pulling my hair out to try and cure this problem.

 

Thanks.....

[♥Vger]

The above example of code had the site set to non ssl, and yes, I could get my site to use cookies if I abandoned ssl - but that would have left my customers' accounts and all their details open to hacking. Not a good idea.

 

Anyway, I have finally got it sorted, with ssl enabled!

 

Vger

[dr_lucas]

Anyway, I have finally got it sorted, with ssl enabled!

 

Vger

Could you please share with us how you made it work with SSL enabled?

 

TIA. ;)

[♥Vger]

Anyway, I have finally got it sorted, with ssl enabled!

 

Vger

Could you please share with us how you made it work with SSL enabled?

 

TIA. ;)

Okay, this simple misconfiguration turned out to be the source of the problem

 

define('HTTPS_COOKIE_DOMAIN', 'www.mydomain.com');

 

It should have been left as

 

define('HTTPS_COOKIE_DOMAIN', '');

 

It was as simple as that ...but it took me three days of trying different settings before I ended up back at my original config file, minus the https cookie domain. Provided that the rest of the config file is correct then turning on 'Force cookie use' will work as it should.

 

Hope this helps - Vger

[dr_lucas]

I tried that, but it still doesn't work... :(

[♥Vger]

Then there is something wrong with the rest of your configuration files.

 

Vger

[ExileRacing]

I just did the same above and it worked.

 

My customers were being asked to login about 5 times. Ended up being the sessions and the SSL site config.

 

My site was www.exileracing.com, but the SSL connection is https://exiletech.secure.powweb.com

 

I changed the SSL URL to that, set the sessions to store in files, and forced cookie use. After that no more logins when switching from the SSL cart and to the catalog. :D