204 replies to this topic

[Onnootje]

Anyone???

I've removed the "store cart in cookie mod" which used the store cart in cookie database entry.

[spooks]

Onnootje, on 13 February 2010, 14:44, said:

From what you say the app is performing differently depending on the referrer setting, as there is nothing in the default code that would do that, its either something you've changed or some server config your host has set up.

Its nothing I`ve come across b4, but then thats due to the former I suspect.

[Reptillacus]

Interesting set of articles. However, my problem is that I want to get rid of osCsid! I'm looking after an osCommerce site and it seems that the temptation for people to send each other urls for products (containing session ids) is too much and has caused the shared session problem outlined above. I can't use force cookies because the site uses shared ssl although switching 'force cookies' on has proved to be a useful way of taking the payment part of the site down whilst still allowing people to browse.

So I was wondering...

Suppose I put this code at the top of application-top.php:

//MOD:AC:2010-03-12
//An attempt to prevent session ids entering from pasted
//or posted urls containing osCsid parameters
if(strlen($_SERVER["HTTP_REFERER"])==0){
if(isset($_GET["osCsid"])){
unset($_GET["osCsid"]);
}
if(isset($_REQUEST["osCsid"])){
unset($_REQUEST["osCsid"]);
}
}
//END MOD

Basically, if there's no referer, i.e the url has been pasted in or clicked on in an email then the osCsid key (if set) is removed.

I'm fairly new to PHP and OScommerce so am a bit wary of dropping code in where there may be unintended consequences so can anyone see if this code has any credibility?

Much obliged

[spooks]

Reptillacus, on 12 March 2010, 15:02, said:

No, thats a bad idea, you'll just loose the session & have new issues. [img]http://forums.oscommerce.com/public/style_emoticons/default/huh.gif[/img]

Matt has made an excellent post on alieviating your issue http://forums.oscomm...xternal-source/

Don't forget the admin settings. [img]http://forums.oscommerce.com/public/style_emoticons/default/wink.gif[/img]

Also with this you will get a issue with google & duplicate content, Remove & Prevent duplicate content with the canonical tag http://addons.oscommerce.com/info/7163 addon will fix that. [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]


PS on a correctly configured site the sid should only appear in the uri on the first page visited.

Edited by spooks, 12 March 2010, 15:28.

[Reptillacus]

Many thanks for your time and trouble Sam, this looks like it's exactly what I need. I did a lot of searching for something like this before I posted here but never found this. I'll let you know how I get on. Thanks again.

[Lary_an]

Hi Sam,

I have:

"prevent spider sessions" enabled
all the other session settings are disabled

When a new user comes in the very first time if he/she clicks on the Catalog link it still gives a session ID.

Please help!

Thanks, any advise will be greatly appreciated.

[germ]

Lary_an, on 22 March 2010, 01:08, said:

Hi Sam,

I have:

"prevent spider sessions" enabled
all the other session settings are disabled

When a new user comes in the very first time if he/she clicks on the Catalog link it still gives a session ID.

Please help!

Thanks, any advise will be greatly appreciated.

Seeing the session ID for 2 or 3 clicks isn't abnormal.

[garnet]

is there a way I can get the session id and use it to track how many times a guest is refreshing given page?

[azso]

Hi All,

sorry for crosspost, but as i can see - problems with osCsid are discuss in this topic.
So, my problem:

I have installed osCommerce Online Merchant v2.2 RC2a (version of php = 5.2.10) and i made some modifications with it.


if you go for URL: http://name.ru (without "www") the engine create a pages with correct links:
all links looks like "http://name.ru/index.php?osCsid=....&...&.."

if you go for URL: http://www.name.ru - some times all links have no "?osCsid=" (but other params, like cPath=xxx - still present). If you delete "www" in url and refresh page - all links became correct.

so there is a differece between http://name.ru and http://www.name.ru

Some additional words about my problem:

1. this problem happens only with internet site (when it placed on host side and use through internet). This problem not happens in my home environment (when site placed in my notebook)

2. all links make through tep_href_link function


what steps i need to do to localize this problem?

[spooks]

azso, on 26 March 2010, 08:43, said:

Check your config files are correct for your server, also check any htaccess files, otherwise appears to be a server config error, speak to host.

You should not have www & non www versions of your site, creates a duplicate content issue, always redirect one to the other.

 

# redirect non www to www

RewriteCond %{HTTP_HOST} !^www\.mysite\.co.uk [NC] 

RewriteCond %{HTTP_HOST} !^$ 

RewriteRule ^(.*) http://www.mysite.co.uk/$1 [L,R=301] 

[altoid]

spooks, on 11 December 2009, 00:45, said:

PS there is another method if you care to look. [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]

Regarding keeping the osCsid, I am using Featured Products that basically fit what I wanted to do, i.e. put featured items out there on the index page. It's a good add on.

However, to address what I was trying to do initially I found this contribution Embed Links with SID in Description but I haven't tried it yet. Probably will check it out sometime along the way when the need arises.

SK

[trier]

Hi,

Thank you for this excellent thread, it is very informative and very helpful though I'm still far from understanding it fully.

I'd appreciate your comment on a few questions (apologies if it's long/tedious/inaccurate), hopefully it doesn't deviate too much from the thread:-

FORCE_COOKIES_USE=true;/Client Browser accepts cookies: I normally find the osCsid appears in the URL after the first click only, it doesn't appear thereafter. As it's not needed in the URL when the client accepts cookies is it not possible to stop it showing at all.

Client Browser doesn't accept cookies: The osCsid must always appear in the URL. After reading this thread I was a bit concerned because several pages (mainly information) use 'javascript:history.go(-1)' for the Back Button and I thought they may lose the osCsid. Testing suggests that it is not a problem (I believe the pages are retrieved from the browser cache). However there seems to be a problem if this, or more likely, the browser page Back Button, is used to go back to the landing page, it seems to generate a new osCsid. Is this an issue? Can anything be done about it?

SESSION_BLOCK_SPIDERS == 'True': In my application_top, this test is not performed when SESSION_FORCE_COOKIE_USE == 'True'. I seem to remember reading in a different thread that some spiders do now create sessions/accept cookies. Is this true and does the test need to be re-arranged (presumably blocking spider sessions should always be done as opposed to it being an option?)? I figure if the session is started anyway and the spider_flag is registered and set to 'false', it can subsequently be tested and used to set session_started to false instead of going through the spider list again - is there much benefit in this?

Thanks for your help

[sarafina]

I have a question on linking using the banner manager and whether or not I need to do anything to prevent losing session ids.

The banner manager asks for a path and if I put /shipping.php it works however, will this negatively impact session ids?

What about linking to products. I have used a seo url contribution so I'm wondering if I can but /blue-widget-sample-p-189.html in the banner manager. If not can you please help me so I can put what is proper so I don't lose session ids? Thanks.

[Winterburn]

Hello, everyone.

I am familiar that application_top.php is the one responsible for keeping the sid intact. However, does the same apply for modal windows? E.g., I have a modal window that shows up when I choose a certain payment option in checkout_payment.php. It works fine with application_top.php, but encounters the 2006 - mysql has gone away error. I may be able to get away with this error if I don't require application_top.php. I figured that the sid is kept since checkout_payment.php generates a child window (e.g. payme.php).

[jkenfield]

Great topic information here...it has helped me tremendously. The last hurdle I have is this:

I am trying to include a link to another page inside my product description. So in the admin site for the product I originally included a manual <a href="...> for the link to the page but it was causing me to loose my session id. So I tried to do (as this post originally suggested)

Quote

<a href="<?php echo tep_href_link('FILENAME_ORDERNOTES'); ?>">click here</a>

for the link. However, when osCommerce renders the product info page, it is translating the link as this:

Quote

http://mysitename.com/catalog/%3C?php echo tep_href_link('FILENAME_ORDERNOTES'); ?>

Does anyone know how to force the page to not change the < to a %3C and hopefully execute the php code?

Thanks!

[germ]

In order for it to execute the PHP code you'd have to do an eval() on the description, and that's not something you really want to do.

You need to find a safer way.

I'd put the <a href back in it but have it open in a new window and link to a page that goes nowhere else (contains no other links) so they have to close it.

Just a thought.

[FWR Media]

germ, on 08 August 2010, 18:53, said:

In order for it to execute the PHP code you'd have to do an eval() on the description, and that's not something you really want to do.

You need to find a safer way.

I'd put the <a href back in it but have it open in a new window and link to a page that goes nowhere else (contains no other links) so they have to close it.

Just a thought.

There is a much better way in my opinion.

I had a quick bash at writing the code ( so probably a bit "raw" ).

The way it ( should ) work.

In the products description ( or any DB text ) place code as follows: -

[-LINK-]FILENAME_DEFAULT[-ANCHOR-]My Test default[-ENDANCHOR-][-PARAMS-][-ENDPARAMS-][-ENDLINK-]

The above will link to index.php

[-LINK-]FILENAME_DEFAULT[-ANCHOR-]My Test category[-ENDANCHOR-][-PARAMS-]cPath=4[-ENDPARAMS-][-ENDLINK-]

The above will link to category cPath=4

It requires: -
1) A real and valid filename constant ( e.g. FILENAME_PRODUCT_INFO )
2) Optional params ( e.g. products_id=4 or cPath=37 etc. )
3) Must have link text

This system uses the correct tep_href_link() wrapper so no problems with sessions etc.

Instructions to test: -

1) Add the below class to catalog/includes/classes/ named as fwrmedia_links.php

2) catalog/product_info.php

Find ..

require('includes/application_top.php');

Add immediately below: -

require_once DIR_WS_CLASSES . 'fwrmedia_links.php';

Find .. ( where the description is output ) probably ..

?>
          <p><?php echo stripslashes($product_info['products_description']); ?></p>
<?php

Add immediately above it ..

  $fwrmedia_link = RealiseProductDescriptionLinks::i();
  $fwrmedia_link->realise( $product_info['products_description'] );

The class ( PHP5 only ): -

<?php
  /**
  * FWR Media
  * Class to parse links in products descriptions.
  */
  class RealiseProductDescriptionLinks {

    private static $_singleton;
    private $search = '@\[-LINK-\]([A-Z_]+)\[-ANCHOR-\]([a-zA-Z0-9_-\s]+)\[-ENDANCHOR-\]\[-PARAMS-\](.*)\[-ENDPARAMS-\]\[-ENDLINK-\]@';
    private $html_target;
    private $matches;
    
    private function __construct() {
    }
    
    public static function i() {
      if ( !self::$_singleton instanceof RealiseProductDescriptionLinks ) {
        self::$_singleton = new self; 
      }
      return self::$_singleton;
    }
    
    public function realise( &$products_description ) {
      $this->html_target = $products_description; 
      preg_match_all( $this->search, $this->html_target, $matches );
      if( count( $matches ) < 4 ) {
        return;
      }
      $this->buildAndReplaceLink( $matches );
      $products_description = $this->html_target;  
    }
    
    protected function buildAndReplaceLink( $matches ) {
      $working_array = array();
      foreach ( $matches[0] as $index => $find ) {
        $working_array[] = array( 'find' => $find,
                                  'replace' => $this->buildHref( $matches[1][$index], $matches[2][$index], $matches[3][$index] ) );
         
      }
      foreach ( $working_array as $index => $find_replace ) {
        $this->html_target = str_replace( $find_replace['find'], $find_replace['replace'], $this->html_target );  
      }
    }
    
    protected function buildHref( $filename, $linktext, $params ) {
      if ( false === defined( $filename ) ) {
        return '';
      }
      return '<a href="' . tep_href_link( constant( $filename ), $params ) . '" title="' . tep_output_string_protected( $linktext ) . '">' . tep_output_string_protected( $linktext ) . '</a>'; 
    }
    
    
    
  } // end class

[FWR Media]

Oh forgot to mention .. the above should work for multiple links not just one.

[jhande]

Ok, I'm a little confussed and need some guidance. [img]http://forums.oscommerce.com/public/style_emoticons/default/blush.gif[/img]

Shop specs:
Upgraded my osC from 2.2 MS2 to 2.2 RC2a with - http://addons.oscommerce.com/info/6654 and all updates available.
Force Cookie Use = False
Check SSL Session ID = False
Check User Agent = False
Check IP Address = False
Prevent Spider Sessions = True
Recreate Session = True
Use Cache = True

PHP 5.2.13
MySQL 5.1.47
Apache 2.2.15
Linux 2.6.28

If you are to lose your osCsid session when browsing the site, then you would get logged out?

Here's my reason for posting:

I had created HTML links from one product description page to another product, such as:

<p>* Matching spray can - <a href="http://handeshobbies.com/product_info.php?cPath=22_27_43&products_id=235">1249</a><br>

From what I have read through this thread and a few others, I should be using something like this:

<link rel="canonical" href="<?php echo tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=235' . (int)$_GET['products_id'],NONSSL,false); ?>" />

Or this contribution:
Embed Link with SID in Description http://www.oscommerc...y/contributions,2905

Or what Robert posted above???

If my original HTML link is wrong, why then do I stay logged in when I follow many of my links? [img]http://forums.oscommerce.com/public/style_emoticons/default/huh.gif[/img]

I just want to make sure that I need to change all my links before I start, there's a couple of hundred. [img]http://forums.oscommerce.com/public/style_emoticons/default/crying.gif[/img]

If I do need to change them, which would be the best and/or easiest method?

Edited by jhande, 13 August 2010, 16:10.

[FWR Media]

jhande, on 13 August 2010, 16:05, said:

If I do need to change them, which would be the best and/or easiest method?

Forget that "embed SID" stuff it is dangerous rubbish .. all you need is ..

Products Link

<a href="<?php echo tep_href_link( FILENAME_PRODUCT_INFO, 'products_id=1234' ) ?>">1234</a>

Categories Link

<a href="<?php echo tep_href_link( FILENAME_DEFAULT, 'cPath=1234' ) ?>">1234</a>

Obviously all the 1234s need to be replaced with propper values.

Edited by FWR Media, 13 August 2010, 16:22.