Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Cookies and Sessions


Vger

Recommended Posts

Okay, so as I understand it, if you force cookie use, sessions should only be used if cookies are not enabled on the users browser. The problem is that according to osCommerce no one ever has cookies enabled on their browser ...ever! I've done multiple searches of this forum and the only comment that made any sense was that the cookie pathway might be wrong. Well, here goes. My install is in the root directory (eg www.mydomain.com), cookie path is set to '/' - is this wrong? I've tried '/var/www/html/ etc. but it never makes any difference - the moment I click on a link to go somewhere I end up on the cookie_usage.php page. Does this feature work? Or is it a bug, and I've been wasting my time trying to get it to work?

 

The reason I have been trying to get it work is that colleagues of mine who use osCommerce have reported that if you have two users online at the same time it is possible for their sessions to get mixed up and for user A to end up in the account area of user B.

 

Any help would be appreciated.

 

Vger

Link to comment
Share on other sites

Second answer ... no it is 100% impossible for sessions to get mixed up....

Can your telephone number get mixed up with somebody's else????

 

Sessions are stored on the server side, each one is given a "unique" id that is associated with the system's ip and that specific computer hardcored connetion.

 

Now to the settings this should work (sample site):

define('HTTP_SERVER', 'http://www.sample.com'); // eg, [URL=http://localhost]http://localhost[/URL] - should not be empty for productive servers
 define('HTTPS_SERVER', ''); // eg, [URL=https://localhost]https://localhost[/URL] - should not be empty for productive servers
 define('ENABLE_SSL', false); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'localhost');
 define('HTTPS_COOKIE_DOMAIN', '');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '');
 define('DIR_WS_HTTP_CATALOG', '/');
 define('DIR_WS_HTTPS_CATALOG', '');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', 'http://www.rmitc.com/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

--------------------------------

Link to comment
Share on other sites

Second answer ... no it is 100% impossible for sessions to get mixed up....

Can your telephone number get mixed up with somebody's else????

 

Sessions are stored on the server side, each one is given a "unique" id that is associated with the system's ip and that specific computer hardcored connetion.

 

Now to the settings this should work (sample site):

define('HTTP_SERVER', 'http://www.sample.com'); // eg, [URL=http://localhost]http://localhost[/URL] - should not be empty for productive servers
?define('HTTPS_SERVER', ''); // eg, [URL=https://localhost]https://localhost[/URL] - should not be empty for productive servers
?define('ENABLE_SSL', false); // secure webserver for checkout procedure?
?define('HTTP_COOKIE_DOMAIN', 'localhost');
?define('HTTPS_COOKIE_DOMAIN', '');
?define('HTTP_COOKIE_PATH', '/');
?define('HTTPS_COOKIE_PATH', '');
?define('DIR_WS_HTTP_CATALOG', '/');
?define('DIR_WS_HTTPS_CATALOG', '');
?define('DIR_WS_IMAGES', 'images/');
?define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
?define('DIR_WS_INCLUDES', 'includes/');
?define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
?define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
?define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
?define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
?define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

?define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
?define('DIR_FS_CATALOG', 'http://www.rmitc.com/');
?define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
?define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

No, that doesn't work. Tried it, and all variations of it hundreds of times. I think that the 'force cookie use' feature of osCommerce simply does not work - no matter what you do. I have yet to see a post on this forum from anyone who has managed to get it to work.

 

Vger

Link to comment
Share on other sites

I only get the 'cookie_usage.php' page when I set force cookie use to 'true'. Are you using file based sessions or mysql based sessions, because I think this makes the difference between 'force cookie use' working and not working e.g. works with file session storage to a tmp directory, but not if session data is stored in mysql.

 

Vger

Link to comment
Share on other sites

The above example of code had the site set to non ssl, and yes, I could get my site to use cookies if I abandoned ssl - but that would have left my customers' accounts and all their details open to hacking. Not a good idea.

 

Anyway, I have finally got it sorted, with ssl enabled!

 

Vger

Link to comment
Share on other sites

Anyway, I have finally got it sorted, with ssl enabled!

 

Vger

Could you please share with us how you made it work with SSL enabled?

 

TIA. ;)

Link to comment
Share on other sites

Anyway, I have finally got it sorted, with ssl enabled!

 

Vger

Could you please share with us how you made it work with SSL enabled?

 

TIA. ;)

Okay, this simple misconfiguration turned out to be the source of the problem

 

define('HTTPS_COOKIE_DOMAIN', 'www.mydomain.com');

 

It should have been left as

 

define('HTTPS_COOKIE_DOMAIN', '');

 

It was as simple as that ...but it took me three days of trying different settings before I ended up back at my original config file, minus the https cookie domain. Provided that the rest of the config file is correct then turning on 'Force cookie use' will work as it should.

 

Hope this helps - Vger

Link to comment
Share on other sites

I tried that, but it still doesn't work... :(

Link to comment
Share on other sites

I just did the same above and it worked.

 

My customers were being asked to login about 5 times. Ended up being the sessions and the SSL site config.

 

My site was www.exileracing.com, but the SSL connection is https://exiletech.secure.powweb.com

 

I changed the SSL URL to that, set the sessions to store in files, and forced cookie use. After that no more logins when switching from the SSL cart and to the catalog. :D

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...