197 replies to this topic

[spooks]

What is the osCsid & why you must not loose it.

This issue keeps raising its ugly head & many seem confused, so I will endeavor to give some light to the problems.

The session id (sid or osCsid) is used by e-commerce applications to keep track of users as they browse the site to ensure the store knows who the user is so which is their basket & account.

The sid is stored within the url and/or cookie (if available). So a url with sid would look like: http://www.domain-one.com/index.php?osCsid...52r43tWEFw34352

Clearly to ensure proper working of the above you must ensure no links to your site contain a sid either within search engines index (Prevent Spider Sessions), other sites linking to you or any links within your own site. If this does occur you can get users finding they are accessing another's account, orders getting mixed up and even billing going awry. There is a new tag (canonical) which could help you avoid this problem with search engines, though you must avoid this problem occurring in the first place.
Example of use for product_info.php is:

<link rel="canonical" href="<?php echo tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . (int)$_GET['products_id'],NONSSL,false); ?>" />

Equally when a user is on the site osC needs to ensure the users sid is kept throughout the visit, as if it is lost at any time the application will consider they are a new visitor, so they would loose the cart content, suddenly find their logged out again or even get lost halfway through checkout!!

osC keeps the users sid between pages through use of the tep_href_link function, so all links must use tep_href_link to ensure the sid remains, you can circumvent this issue with 'Force Cookie Use' where since the sid is stored within the cookie if it is lost through any 'bad' code it can be picked up from there again.

So should you create your own links and simply use something like

<a href="index.php">Back Home</a>

you are creating some major problems for yourself. Instead you should put

<a href="<?php echo tep_href_link(FILENAME_DEFAULT); ?>">Back Home</a>

The sid is also used by some contributions (like Anti Robot Registration Validation) where the sid is used as the root for creation of the code presented to the user, so if its missing code generation will not work.

Contributions that may help if you have issues:

SID Killer http://addons.oscommerce.com/info/952
Duplicate Content Manager http://addons.oscommerce.com/info/6214


For further reading see: http://www.oscommerce.info/kb/osCommerce/D...plementations/4

and http://www.oscommerce.info/kb/168

I hope that makes things clearer.

Edited by spooks, 05 March 2009, 18:15.

[spooks]

Another way you can loose sid is through the use of links to anchors on a page, like

<a href="<?php echo tep_href_link(FILENAME_DEFAULT,'action=default#information'); ?>">More Info</a>

the trouble with this is should the url contain a sid, the resulting link will be:

http://www.domain-one.com/index.php?action...52r43tWEFw34352

since the sid occurs after the anchor link its ignored, so sid lost and disaster.

The answer is to either don't use anchors, or test for the sid & don't use anchors if it exists.

IE at top of page you have

$sess_id = (tep_not_null(SID));

then the above link would become

<a href="<?php echo tep_href_link(FILENAME_DEFAULT,'action=default' . ($sess_id ? '' : '#information')); ?>">More Info</a>

I hope thats useful to some.

Edited by spooks, 05 March 2009, 20:08.

[spooks]

Another place you can loose sid is through forms, if you creat a form with pure html like:

<form name="contact_us" action="<?php echo FILENAME_CONTACT_US ?>" method="get"> Name: <input type="text" name="name"> More Text <input type="submit" value="Submit"> </form>

As the form action does not contain the sid, its lost!!

the correct method is:

<?php echo tep_draw_form('contact_us', tep_href_link(FILENAME_CONTACT_US, 'action=send'), 'get'); ?>

Name:  <?php echo tep_draw_input_field('name'); ?>

More Text <?php echo tep_image_submit('button_continue.gif', IMAGE_BUTTON_CONTINUE); ?>

</form>

Note the use of tep_href_link within the form.



If your writing your own code, the details for the tep_href_link function are:

tep_href_link($page, $parameters , $connection, $add_session_id , $search_engine_safe )

$page is the page you are linking to.
$parameters is parameters for the url (action=send etc)
$connection is SSL or NONSSL
$add_session_id is normally 'true' so sid is added
$search_engine_safe if set to true and SEARCH_ENGINE_FRIENDLY_URLS is set to 'true' (in admin) sef url's are created.

[TheZag]

First of all, thanks for your helpfull arguments.
I need help on two issues.

1) I'm not able to write the right code for a "background-image" inside a table and in a td

<table border="0" cellspacing="0" cellpadding="0" background-image="<?php tep_image(... etc

2) I put the McAfee Secure image and its link in my header.php
I was able to quite let it work just creating a new function like tep_href_lonk and deleting the home references.
I have the problem that as it adds the SID at the end of the link, this it doesn't open McAfee certificate page.
But the question is, is it good to have it in the header ?
I mean, thinking to this SID issue...

Just to undertsand how it works, WHERE and HOW is better to put the SSL GoDaddy Link ? Same for McAffeee.
If for example they are in the footer.php does it needed to change the code the same ?
Or the loss of SID is just at the top of pages ?

Thanks in advance for patience,
I'm not a php programmer and I'm learning.

[TheZag]

Hello,

this will break the SID ?

<table border="0" width="800" cellspacing="0" cellpadding="0" align="center" style="border:1px solid #000000; background-image:url(../img/backlogo.jpg);">

Thanks

Edited by TheZag, 09 March 2009, 12:36.

[spooks]

You don`t want the sid on links to external pages, you can tell tep_href_link to not add the sid with:

tep_href_link('my_link.php, '',NONSSL,false);

note the 'false' in the 4th argument, However as tep_href_link is for internal links on your site it will add http://www.your_domain.com to the link, which is not what you want

As this is an external link you can just use the likes of use <a href="http://www.other site.html">Other Site</a>

or you could use redirect.php

[spooks]

No, its not a link!!!

[TheZag]

spooks, on Mar 9 2009, 02:05 PM, said:

No, its not a link!!!

Thank you.
Another thing.

The script for GoDaddy SSL certificate has a script:

<script type="text/javascript" src="https://seal.godaddy.com/getSeal?sealID=XXX" target="_blank"></script>

Does this will break SID ? How can be changed this one ?
Thanks a lot !

[spooks]

As before, its linking off site, so no problem.

[TheZag]

spooks, on Mar 9 2009, 07:29 PM, said:

As before, its linking off site, so no problem.

Sorry to bother you...

PLEASE !

I think I changed all the tep_href_link...
I tried Force Cookie Use... both as False and then as True...
I tried Image Required as False and True...

NOTHING !

I still have the lost SID red alert !

If I check in Admin the page Who's On Line I can see myself, but ID is 0.
Is this right ?

I begin to think I probably have some problems with Database... I mean,
how to check if it records the SID and then it gives it back ?

What can I also check ???
I think to have installed the contribution in the right way...
HELP!!!

-----------------------
I put an .htaccess file inside include folder with this code:

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

Is it right ? Or is it wrong ?
----------------------

[spooks]

Please don`t make duplicate posts, its against forum rules & annoys many. I personally tend to ignore such posters & will also generally slow any responce.

I`ve uploaded a new version of the package if you look in the other thread you put this in!!!!

[TheZag]

Sorry for that.
I don't know where to put my head to see the contribution working...

[spooks]

TheZag, on Mar 14 2009, 11:13 PM, said:

Sorry for that.
I don't know where to put my head to see the contribution working...

Siamo spiacenti, non capisco, hai provato la nuova versione, o hai bisogno di vedere una demo?

[TheZag]

spooks, on Mar 15 2009, 12:50 AM, said:

Siamo spiacenti, non capisco, hai provato la nuova versione, o hai bisogno di vedere una demo?

Not bad your italian !
It looks like you used some web-translator, anyway !

I'm checking files...
But, the thing I don't understand is... WHY all those sql versions ?
And why there are not info in the help/install notes ?

In the folder I upload, there was only one...
Probably something was missing?

About these release...
Which SQL file do I have to use?

Then, there's no reference to LINKS_SUBMIT-PAGe: what is it?
Do this has to be installed ?

If I run the last SQL file, the 3.0 is it enough?

If you re-wrote all previous code, as I have many add-ons and not a new/clear installation,
do I have to delete all codes of previous version?

GRAZIE PER L'AIUTO !

I don't think I have to see a demo, I understood how the contribution should works...
I would like my e-store to be ready to publish, it's almost 1 year I'm working with...
And it's not something particoularly incredible (talking about graphic or visual impact...).
I hope to solve this issue.

[spooks]

Yes, my mate Google writes my Italian for me!!!

I will reply in the contrib thread, as this don`t belong here.

[ivyfleur]

Hi Sam,

Apologies for bothering you but I tried this

<a href="<?php echo tep_href_link(FILENAME_CONTACT_US); ?>">Contact Us</a>

which brought up an error page which states somthing similar to

Quote

URL /catalog/ not found on this server.

Not sure what I am doing wrong.

[spooks]

You have errors in your configuration

typical config files:

CATALOG/ADMIN/INCLUDES/CONFIGURE.PHP
define('HTTP_SERVER', 'http://www.my-site.co.uk');
define('HTTP_CATALOG_SERVER', 'http://www.my-site.co.uk');
define('HTTPS_CATALOG_SERVER', 'http://www.my-site.co.uk');
define('DIR_WS_HTTP_CATALOG', '/servername/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/servername/catalog/');
define('ENABLE_SSL_CATALOG', 'false');
define('DIR_FS_DOCUMENT_ROOT', '/home/servername/public_html/catalog/');
define('DIR_WS_ADMIN', '/catalog/admin/');
define('DIR_FS_ADMIN', '/home/servername/public_html/catalog/admin/');
define('DIR_WS_CATALOG', '/catalog/');
define('DIR_FS_CATALOG', '/home/servername/public_html/catalog/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

CATALOG/INCLUDES/CONFIGURE.PHP
define('HTTP_SERVER', 'http://www.my_site.co.uk');
define('HTTPS_SERVER', 'http://www.my_site.co.uk');
define('ENABLE_SSL', false);
define('HTTP_COOKIE_DOMAIN', 'www.my_site.co.uk');
define('HTTPS_COOKIE_DOMAIN', 'www.my_site.co.uk');
define('HTTP_COOKIE_PATH', '/catalog/');
define('HTTPS_COOKIE_PATH', '/catalog/');
define('DIR_WS_HTTP_CATALOG', '/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/catalog/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
define('DIR_FS_CATALOG', '/home/servername/public_html/catalog/');
define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

define('DB_SERVER', 'Localhost');
define('USE_PCONNECT', 'false');
define('STORE_SESSIONS', 'mysql');

if your store is in the root remove catalog/ above

I suspect you have catalog/ in there, but have a root based site

Edited by spooks, 19 March 2009, 10:01.

[ivyfleur]

Thanks for the response Sam.

I compared those files and the only difference is that I have the following two lines missing from my admin includes

Quote

define('DIR_WS_HTTP_CATALOG', '/servername/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/servername/catalog/');

All the other entries match. Not sure what to do?

[ivyfleur]

Opps and one more thing.

When you say remove "catalog" I am not sure which lines you are referring to. And yes the store is root based.

[spooks]

as in where-ever catalog/ appears, remove it, so:

define('DIR_WS_HTTP_CATALOG', '/servername/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/servername/catalog/');

becomes

define('DIR_WS_HTTP_CATALOG', '/servername/');
define('DIR_WS_HTTPS_CATALOG', '/servername/');