Please help with osCommerce contribution

E

eitai2001

Expert Member
Joined
Aug 17, 2007
Messages
4,329
Reaction score
2
Location
Jhb
Hi Guys.

I have been searching for a contribution for osCommerce that will prevent the session ID of a customer from being displayed in the website address bar i.e. osCsid=ecf475f31e57d735ec02821c1eff8a82 as I have discovered that if a user is logged in and send a link with the session attached to a friend, when the friend clicks on the link, it opens the site and logs him in as the user.
I have put in a temporary solution that detects if it is a different IP or browser and then asks you to log in again, but this is not ideal.

I see that Sybaritic uses some contribution that prevents the session ID from displaying.

Perhaps some of you know which contribution I should look for?

By the way, don't worry about site security ... the site is now secure again, but to be sure, if and when posting or e-mailing a link, be sure to remove the session ID.

I'm hoping one of you knows which contribution will work, I spent a couple hours searching the osCommerce contributions.

Regards

Itai
 
Last edited:
You could use cookies, but many users choose to disable cookies... The other option is to use $_SESSION variables. A good way to do this would be to hash the session id along with some other parameters as well as some or other pre-defined constant. This has should be passed using POST, instead of GET.

That should solve your problem.
Hope this helps
 
Last edited:
I'm sure it would solve the problem, but I have no clue how to implement that ... I know very basic PHP, I usually follow the instructions in the osCommerce contributions that I download.
 
eitai2001 said:
How would I go about implementing that?
Click to expand...

Well unfortunately I can't give you a complete solution: I don't have access to your code (nor SHOULD I), but I can give you some basic skeletons to use as an example:

Code: 
<?php

session_start();

$fingerprint = 'SOME_CONSTANT_TEXT' . $_SERVER['HTTP_USER_AGENT'];
$_SESSION['fingerprint'] = md5($fingerprint . session_id());

?>

Basically, the first statement initiates the session (I think it MUST be the first statement in the script).
The next line assigns $fingerprint a string consisting of some constant text (for obscurity) and some headers (presented to the server by the browser).
The next line sets a session variable $_SESSION['fingerprint'] to the md5 hash (a 'one-way' encryption (it's not really, but it's close enough) ) of a string consisting of the previously assigned $fingerprint variable and the session id (assigned when you did session_start() AFAIK ).

For your forms, make sure that the method is "POST" and not "GET".
"GET" will make the browser show the variable assignments from the previous page in the form
Code: 
http://www.yourdomain.com/index.php?variable1=value1&variable2=value2&variable_etc=etc

The problem is that there are a LOT of things to consider when working with sessions, and if you're not too familiar with it, you should either try to find a worked solution or think about getting someone to do it for you (but make sure it's someone you know can do the job CORRECTLY)
 
Shu ... the osCommerce code is very complex ... I don't suppose there is someone on this forum who knows how it works ... and could implement it for me? If someone here can, please PM me, and tell me how much you will charge.
 
erm....

I know oscommerce pretty well....backwards actually....but you shouldnt need to hire anyone to do it for you!

It is very very easy....have you activated "Prevent Spider Sessions" in your admin section? This will stop the spiders from being able to start a session. It may be an idea to update the spider list, you dont really need to though....but let me grab the link quickly....

Bleh....cant seem to get the link right now! Keep getting timeouts from oscommerce.com. thanks telskum!

Anyhow, this is the option you need to fix your pages already spidered with the OscSid:
http://www.oscommerce.com/community/contributions,2819

So, install the contrib above - and set prevent spider sessions to true. You should be sorted! Lemme know once you have done it and i'll check it out for you!
 
Hi.

Thanks for the reply ... the problem wasn't spiders ... an example would be that one of the guys on the forum liked a price and pasted it in bargain thread, but he pasted it with the session ID, and when someone clicked the link, they were logged in with his account. The session has expired now though.
And I do have Prevent Spider Sessions enabled.
But I seems to have found the main problem, apparently osCommerce automatically checks if your cookies are enabled, and only if they aren't puts the session ID in the url. Now in my case, this wasn't happening, and after tons of reading, I see it turned out to be a misconfigured configuration file which I have now sorted out, and if your cookies are enabled, you will not see the session ID link in the url ... Phew :) Glad I finally found the answer.

Regards

Itai
 
This was the original post I found that sorted me out in case anyone else ever searching this forum needs help:
Right guys,

Not 100% up to speed on this yet but after reaching 99% I did do a couple of celebratory laps of the sitting room!! Yes, the sitting room is where I get most of the proper work done - I spent all day at the shop just sorting out orders, replying to probably dead end e-mails and the rest of the standard shop work!! How I am ever going to compete with Amazon I will never know!

Still the major breakthrough has been made, only one potential problem left which I will mention at the end.

Ok, Sessions.....

It would appear to me that a very large number of users do not have OScommerce configured correctly (Including myself). I assumed that every user was issued a (visible) session ID. All the OScommerce sites I had visited, and that is a lot of sites since I have been working on mine, have issued me with a session ID in the URL. Now, this does not need to happen so long as cookies are enabled on the users browser. The 2.2 ms version of OScommerce (dont know about previous versions) is very clever.... Once a new customer visits your site, OSc will try to reply to the customer with cookies enabled, if it does not recieve the response it wants, ie cookies are disabled, then and only then will it assign the user a session ID.

This make sense so far? It took me some bl**dy working out.

Now, knowing that generally speaking sessions are a bad idea security wise for your site/customers (they are open to abuse if another user can access the same open session), OSc will use cookies when it can. You know it is using cookies when the URL does not contain a reet big long OSCid number.

So, what are the correct settings for your config file, I hear you ask!

Well, mine is now,

define('HTTP_SERVER', 'http://www.mydomain.co.uk'); // eg, <http://localhost> - should not be empty for productive servers
define('HTTPS_SERVER', 'https://www.mydomain.co.uk'); // eg, <https://localhost> - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'mydomain.co.uk');
define('HTTPS_COOKIE_DOMAIN', 'mydomain.co.uk');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');

And all appears well. I would say things get a little more confusing if you are on a shared SSL but if anyones interested I could probably find and post the answers here later (when I get a spare five minutes!)

OK, so to summarise so far, if, in your admin you have FORCE COOKIE USE set to FALSE, any users with cookies enabled should see a nice short URL and if the customer has cookies disabled they will see a chuffing great long URL with a session id tagged on the end.

So going back to my original post about how to set up the SESSIONS in admin, I guess its better to not set FORCE COOKIE USE to true, as this will certainly prevent AOL users, amongst others from accessing your shop (Cheers Rhea for that pointer).

Everything I have read indicates that PREVENT SPIDER SESSIONS must be set to TRUE as a matter of security.

As far as the rest of the settings go, not sure yet!! Will try and do a bit more reading.

If I am going over old ground for you experienced hands, please put me out of my misery and save me a bit of time by letting me know the best set up!


Right, after creating the worlds longest post tonight I think I am going to clear off to bed - The only thing left to explain is why I have not implemented these new settings on my site. Well, it all boils down to my old friend the HSBC secure e-payments!! I have hard coded (I think thats the correct techie term) a session id into the return post from the HSBC site, Doh!! It was the only way I could get it working at the time. Now, how this is going to be affected by using cookies I am not quite sure and am certainly not prepared to think about or try to change after a half a bottle of Johnny Walker - Thats a job for another day (when I get another spare five minutes).

Cheers for now.
Richard.
Click to expand...
 
At least I know now I have a few guardian angels on here ;)

Thx cyberarmy & eitai2001 :D
 
Nope...its still giving session id's....

product_info.php?products_id=304&osCsid=8cd92ad4ba507101b8e19bf13a11206f

Sorry, I thought you wanted to kill them for SEO purposes. It is a good idea to make sure the search engine spiders are not spidering with the session id's as it poses the same risk as someone posting with the session ID.

You would be looking for this contrib
http://addons.oscommerce.com/info/2913
 
Last edited:
Hi.
Do you have cookies enabled ... it works perfectly on my pc?

I have already looked at that contribution you sent me ... but the problem is "until a user goes to log-in or tries to buy a product."
I don't want it to create a session ID when the user logs in.

Regards

Itai
 
I see what its doing now, it adds the session ID on the first link you click, thereafter it removes it. So I will for a contribution I saw the other day which prevents it showing the SID in the beginning.
 
I don't suppose any of you know what contribution Prophecy or Sybaritic use to prevent this?
 
eitai2001 said:
Hi.
Do you have cookies enabled ... it works perfectly on my pc?

I have already looked at that contribution you sent me ... but the problem is "until a user goes to log-in or tries to buy a product."
I don't want it to create a session ID when the user logs in.

Regards

Itai
Click to expand...

In all honesty that will be your best solution to stop session id's from being given access to both spiders and visitors/customers. The Session ID is created during the login/create account screens, and then removed when the customer browses further...

Unless there is something I am missing, but why would you not want the session ID to be created when they login/buy an item? It is not as if they will be posting links of the shopping cart/login screens?
 
The problem was that they logged in, browsed, and then they copied a link afterwards and posted it, and whoever clicked that link was logged into his account
 
Have you installed it though? The session ID is created on login, or create account/shopping cart. It is then not displayed when they browse further....it should have stopped your problem?
 
Not yet ... but if it does display the SID somewhere, then it still doesn't do what I want :P ... I e-mailed sybaritic and they said they spent a lot of time and did a lot of research so they don't wanna tell me which one it is, so maybe its not a premade contribution?
 
I tried to install the contribution, but seeing as I run CRE Loaded, the install instructions were ineffective because the application_top.php file didn't have the settings I needed to change. So there is no way for me to install this contribution without customising it, which I have no idea how :P
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X