Jump to content



Photo
* * * * * 4 votes

What is the osCsid & why you must not loose it.


This topic has been archived. This means that you cannot reply to this topic.
206 replies to this topic

#41   danut82

danut82
  • Members
  • 63 posts

Posted 21 April 2009 - 13:12

hi,

you need to make the comparasion and after the modification on the php file (hint: make a search with: button_in_cart.gif and you will find the lines)






Don't know if anyone else had probs with the contrib above SID KILLER..but in steps 5 and 6 of CHANGING THE BUTTONS the lines of code that needed replacing were not actually there:

ie:Step 5
========
File: /catalog/products_new.php
Find the code:

<td align="right" valign="middle" class="main"><?php echo '<a href="' . tep_href_link(FILENAME_PRODUCTS_NEW, tep_get_all_get_params(array('action')) . 'action=buy_now&products_id=' . $products_new['products_id']) . '">' . tep_image_button('button_in_cart.gif', IMAGE_BUTTON_IN_CART) . '</a>'; ?></td>

and replace it with:
(relevant new code)

and...
Step 6 (hey last step!)
========
File: /catalog/product_reviews.php
=========================================================
The reason for this change is that when there is NO review existent for a product,
the users get product_reviews.php, not product_reviews_info.php /wink.gif' class='bbc_emoticon' alt=';)' />. So we gotta mod a lil'


Find: ( Somewhere around line 189)

echo '<p><a href="' . tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action')) . 'action=buy_now') . '">' . tep_image_button('button_in_cart.gif', IMAGE_BUTTON_IN_CART) . '</a></p>';

Replace WITH


Anyone else have this prob?
All other suggested codes were found and replaced apart from these two.



#42   amirage

amirage
  • Members
  • 56 posts

Posted 28 April 2009 - 09:14

hi,

you need to make the comparasion and after the modification on the php file (hint: make a search with: button_in_cart.gif and you will find the lines)


Hi, yes I used Ctrl F to find where it was used but nothing came up. I scrolled through the lines of code again and again and again, any other suggestions please please...this SID THING is a killer.

#43   amirage

amirage
  • Members
  • 56 posts

Posted 28 April 2009 - 13:14

Another place you can loose sid is through forms, if you creat a form with pure html like:

<form name="contact_us" action="<?php echo FILENAME_CONTACT_US ?>" method="get"> Name: <input type="text" name="name"> More Text <input type="submit" value="Submit"> </form>


As the form action does not contain the sid, its lost!!

the correct method is:

<?php echo tep_draw_form('contact_us', tep_href_link(FILENAME_CONTACT_US, 'action=send'), 'get'); ?>

Name:  <?php echo tep_draw_input_field('name'); ?>

More Text <?php echo tep_image_submit('button_continue.gif', IMAGE_BUTTON_CONTINUE); ?>

</form>


Note the use of tep_href_link within the form.



If your writing your own code, the details for the tep_href_link function are:

tep_href_link($page, $parameters , $connection, $add_session_id , $search_engine_safe )


$page is the page you are linking to.
$parameters is parameters for the url (action=send etc)
$connection is SSL or NONSSL
$add_session_id is normally 'true' so sid is added
$search_engine_safe if set to true and SEARCH_ENGINE_FRIENDLY_URLS is set to 'true' (in admin) sef url's are created.


No matter what I try I still can't get the tep_href_link to work. Once saved and tested it goes straight to an error page. The link ends up full of %20 etc.. and shoes the FILENAME radera. What am I doing wrong?
For eg:
I am trying to include a link on all product pages from the same manufacturer a the bottom of the product info, back to the Brand name so creating a link 'More Products by this manufacturer'. I just want to link straight back to the MANUFACTURER Name

#44   RBaxter

RBaxter
  • Members
  • 24 posts

Posted 09 June 2009 - 13:17

Hi all,
I've been reading up about SID Killer and I was wondering; will setting force cookies to true, prevent spide sessions and updating the spider.txt provide sufficient\comparable protection against SID mix ups? After trying SID Killer out, I'd rather not use it if possible due to conflicts with other contributions, but if this is the best\only way of being sure, then I'll obviously plump for this.

The reason I'm asking is because after looking through the forums, some people recommend SID Killer highly and others seem to absolutely hate it and think it is overrated. Any opinions would be greatly appreciated!
Cheers
-R

#45   spooks

spooks
  • Members
  • 7,017 posts

Posted 09 June 2009 - 17:29

If you have set prevent spider sessions to true and updated the spider.txt you don`t need SID killer


You could still get sid mixup if other sites etc include the sid, so you need to be careful.

Set Recreate Session to true to avoid that problem
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#46   Solan

Solan
  • Members
  • 252 posts

Posted 09 June 2009 - 19:25

You have errors in your configuration

typical config files:

CATALOG/ADMIN/INCLUDES/CONFIGURE.PHP
define('HTTP_SERVER', 'http://www.my-site.co.uk');
define('HTTP_CATALOG_SERVER', 'http://www.my-site.co.uk');
define('HTTPS_CATALOG_SERVER', 'http://www.my-site.co.uk');
define('DIR_WS_HTTP_CATALOG', '/servername/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/servername/catalog/');
define('ENABLE_SSL_CATALOG', 'false');
define('DIR_FS_DOCUMENT_ROOT', '/home/servername/public_html/catalog/');
define('DIR_WS_ADMIN', '/catalog/admin/');
define('DIR_FS_ADMIN', '/home/servername/public_html/catalog/admin/');
define('DIR_WS_CATALOG', '/catalog/');
define('DIR_FS_CATALOG', '/home/servername/public_html/catalog/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');


CATALOG/INCLUDES/CONFIGURE.PHP
define('HTTP_SERVER', 'http://www.my_site.co.uk');
define('HTTPS_SERVER', 'http://www.my_site.co.uk');
define('ENABLE_SSL', false);
define('HTTP_COOKIE_DOMAIN', 'www.my_site.co.uk');
define('HTTPS_COOKIE_DOMAIN', 'www.my_site.co.uk');
define('HTTP_COOKIE_PATH', '/catalog/');
define('HTTPS_COOKIE_PATH', '/catalog/');
define('DIR_WS_HTTP_CATALOG', '/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/catalog/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');


define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
define('DIR_FS_CATALOG', '/home/servername/public_html/catalog/');
define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');


define('DB_SERVER', 'Localhost');
define('USE_PCONNECT', 'false');
define('STORE_SESSIONS', 'mysql');

if your store is in the root remove catalog/ above

I suspect you have catalog/ in there, but have a root based site


i compared my two configure files and i see i have som extra code in both of them that isnt in your example:

define('DB_SERVER', 'localhost');
  define('DB_SERVER_USERNAME', 'xxx_xxxxx');
  define('DB_SERVER_PASSWORD', `xxxxx);
  define('DB_DATABASE', 'xxx_xxxxxx');
  define('USE_PCONNECT', 'false');
  define('STORE_SESSIONS', 'mysql');

Is that wrong? i cant remember putting the code in there the first place, so i cant explain why its in both of my configure files...

#47   spooks

spooks
  • Members
  • 7,017 posts

Posted 09 June 2009 - 20:01

define('DB_SERVER', 'localhost');
  define('DB_SERVER_USERNAME', 'xxx_xxxxx');
  define('DB_SERVER_PASSWORD', `xxxxx);
  define('DB_DATABASE', 'xxx_xxxxxx');
  define('USE_PCONNECT', 'false');
  define('STORE_SESSIONS', 'mysql');

Those are normal & correct, I leave them off the example to aviod some posting their's 'as is' with the secuity info compromised.
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#48   Solan

Solan
  • Members
  • 252 posts

Posted 09 June 2009 - 20:46

ok, Thanks..

Nnow back to my bad english and understanding *lol*

I didnt quite understand if i shall have the oscid to show or not.
They show if i have force cookie use false

And not show if force cookie use True.

What configuration should i have in my sessions?
Check SSL Session ID
Check User Agent
Check IP Address
Prevent Spider Sessions
Recreate Session

Is that depending on something or what?

#49   spooks

spooks
  • Members
  • 7,017 posts

Posted 09 June 2009 - 21:29

As I said Prevent Spider Sessions must be set to true, setting Recreate Session to true is a good idea, but it depends on your server, the others depend on your site & server config.

You cannot & must not block the sid, with force cookie ON the sid is in the cookie, so its not in the url otherwise its up to osc if its needed in the url or not.

PLEASE READ THE THREAD

Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#50   Solan

Solan
  • Members
  • 252 posts

Posted 09 June 2009 - 21:45

i have been reading the Thread but, as this is in another language i somtimes find it difficult to understand.. especially "computer talk" /blush.gif' class='bbc_emoticon' alt=':blush:' />

Sorry...

Im afraid to anoy you more but, i have to ask just so i make it glass clear:

If my URL´s look like http:// mywebsite.com/index.php/barn-c-3?osCsid=4ae2e68238d85d62d43ffda14202bf77 and someone copies that url and paste it on a nother website, the osCsid will also show... is that a bad thing?

Please be kind and not angry with me of my stupid questions... /blush.gif' class='bbc_emoticon' alt=':blush:' /> (wish i were english or american)

#51   FWR Media

FWR Media
  • Members
  • 6,839 posts

Posted 09 June 2009 - 21:49

i have been reading the Thread but, as this is in another language i somtimes find it difficult to understand.. especially "computer talk" /blush.gif' class='bbc_emoticon' alt=':blush:' />

Sorry...

Im afraid to anoy you more but, i have to ask just so i make it glass clear:

If my URL´s look like http:// mywebsite.com/index.php/barn-c-3?osCsid=4ae2e68238d85d62d43ffda14202bf77 and someone copies that url and paste it on a nother website, the osCsid will also show... is that a bad thing?

Please be kind and not angry with me of my stupid questions... /blush.gif' class='bbc_emoticon' alt=':blush:' /> (wish i were english or american)


It would be a problem if sessions were not recreated .. Recreate session should always be TRUE. Recreating the session id after a user "change of state" is simple standard practise.

Your osCsid should only be visible in the querystring for one click .. after that it should be gone or your includes/configure.php settings are wrong.

Edited by FWR Media, 09 June 2009 - 21:50.


#52   Solan

Solan
  • Members
  • 252 posts

Posted 09 June 2009 - 22:01

Thank you Robert /rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' />

I feel horrible, not understanding what you mean by "in the querystring for one click" ....

i have compared my includes/configure.php with the one in this thread and see nothing wrong... but this line:

define('ENABLE_SSL', false);


#53   FWR Media

FWR Media
  • Members
  • 6,839 posts

Posted 09 June 2009 - 22:05

Thank you Robert /rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' />

I feel horrible, not understanding what you mean by "in the querystring for one click" ....

i have compared my includes/configure.php with the one in this thread and see nothing wrong... but this line:

define('ENABLE_SSL', false);


Solan if you close ALL of your browser windows then go to your site.

Hover over any link and you will see in the bottom bar that the link has an osCsid appended to it.

If you then click that link then once again hover over a link when the page reloads the link should now be free of any osCsid.

Edited by FWR Media, 09 June 2009 - 22:05.


#54   Solan

Solan
  • Members
  • 252 posts

Posted 09 June 2009 - 22:23

sorry but then i think i have problem, i dont know if i do it right but i still se the ocsid...

#55   FWR Media

FWR Media
  • Members
  • 6,839 posts

Posted 09 June 2009 - 22:26

sorry but then i think i have problem, i dont know if i do it right but i still se the ocsid...


Yes having seen your site you have persistent osCsid so your settings are wrong.

#56   Solan

Solan
  • Members
  • 252 posts

Posted 09 June 2009 - 22:29

Yes having seen your site you have persistent osCsid so your settings are wrong.


/sad.gif' class='bbc_emoticon' alt=':(' /> okay Thanks.. but nice to know my problem..

#57   RBaxter

RBaxter
  • Members
  • 24 posts

Posted 10 June 2009 - 13:18

If you have set prevent spider sessions to true and updated the spider.txt you don`t need SID killer


You could still get sid mixup if other sites etc include the sid, so you need to be careful.

Set Recreate Session to true to avoid that problem


Thanks a lot for the help! I'll make sure those settings are set!
Much appreciated -R

#58   Solan

Solan
  • Members
  • 252 posts

Posted 10 June 2009 - 20:34

It would be a problem if sessions were not recreated .. Recreate session should always be TRUE. Recreating the session id after a user "change of state" is simple standard practise.

Your osCsid should only be visible in the querystring for one click .. after that it should be gone or your includes/configure.php settings are wrong.


You were totally right my friend /rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' /> my includes/configure.php settings was wrong...

With your great help i could finally load a correct configure.php

Thank you a milling times for helping me out with my issue.. *handing you a flower*

It feels great having a site again *lol*

#59   amirage

amirage
  • Members
  • 56 posts

Posted 19 June 2009 - 11:38

errm okay guys now back to my prob...I mean back to the SOLUTION I desperately still need help with the following:
What is the correct way to add a link to my page?
Scenario 1: I am using Oscommerce and adding a link within the descrition of a product to another product on the same site what code is suitable?
Scenario 2: If I want to link from a product page to a different site what code is suitable?
Scenario 3: If I am using dreamweaver then does the applicable code remain the same as if designing the page in oscommerce or is it okay to just use the normal 'insert link' function.

PLEASE PLEASE HANDSOME..PRETTY PLEASE HELP /rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' />

#60   amirage

amirage
  • Members
  • 56 posts

Posted 29 June 2009 - 12:12

No one out there who can help with this? Not anyone? Please?