This issue keeps raising its ugly head & many seem confused, so I will endeavor to give some light to the problems.
The session id (sid or osCsid) is used by e-commerce applications to keep track of users as they browse the site to ensure the store knows who the user is so which is their basket & account.
The sid is stored within the url and/or cookie (if available). So a url with sid would look like: http://www.domain-one.com/index.php?osCsid...52r43tWEFw34352
Clearly to ensure proper working of the above you must ensure no links to your site contain a sid either within search engines index (Prevent Spider Sessions), other sites linking to you or any links within your own site. If this does occur you can get users finding they are accessing another's account, orders getting mixed up and even billing going awry. There is a new tag (canonical) which could help you avoid this problem with search engines, though you must avoid this problem occurring in the first place.
Example of use for product_info.php is:
<link rel="canonical" href="<?php echo tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . (int)$_GET['products_id'],NONSSL,false); ?>" />Equally when a user is on the site osC needs to ensure the users sid is kept throughout the visit, as if it is lost at any time the application will consider they are a new visitor, so they would loose the cart content, suddenly find their logged out again or even get lost halfway through checkout!!
osC keeps the users sid between pages through use of the tep_href_link function, so all links must use tep_href_link to ensure the sid remains, you can circumvent this issue with 'Force Cookie Use' where since the sid is stored within the cookie if it is lost through any 'bad' code it can be picked up from there again.
So should you create your own links and simply use something like
<a href="index.php">Back Home</a>you are creating some major problems for yourself. Instead you should put
<a href="<?php echo tep_href_link(FILENAME_DEFAULT); ?>">Back Home</a>
The sid is also used by some contributions (like Anti Robot Registration Validation) where the sid is used as the root for creation of the code presented to the user, so if its missing code generation will not work.
Contributions that may help if you have issues:
SID Killer http://addons.oscommerce.com/info/952
Duplicate Content Manager http://addons.oscommerce.com/info/6214
For further reading see: http://www.oscommerce.info/kb/osCommerce/D...plementations/4
I hope that makes things clearer.
Edited by spooks, 05 March 2009 - 06:15 PM.