9 replies to this topic

[vinnie@krystal]

Hi Everyone, I have had a problem with security issues with my shop. i have created a login page which works fine. The problem here is how do i overcome when once the user has logged in they are able to copy the URL link and are able to bypass the login page by pasting the URL in the address bar.

What i am looking for is by some how a default where they are returned back to login page and cannot access the shop until they complete login.

Anyone have any idea how this may be acheived? many thanks if you able to help...

[spooks]

vinnie@krystal, on 13 October 2009, 16:48, said:

once the user has logged in they are able to copy the URL link and are able to bypass the login page by pasting the URL in the address bar.

You can clean the query string with security pro, find details of that & other security measures here.

If you have register_globals set to on it allows the user to do much with the url, so turn rg off & fix the store so it works that way.


there is Register Globals Easy http://addons.oscommerce.com/info/5729 or better still Upgrading osC from 2.2 MS2 to 2.2 RC2a http://addons.oscommerce.com/info/6654

[Jack_mcs]

vinnie@krystal, on 13 October 2009, 16:48, said:

Hi Everyone, I have had a problem with security issues with my shop. i have created a login page which works fine. The problem here is how do i overcome when once the user has logged in they are able to copy the URL link and are able to bypass the login page by pasting the URL in the address bar.

What i am looking for is by some how a default where they are returned back to login page and cannot access the shop until they complete login.

Anyone have any idea how this may be acheived? many thanks if you able to help...

Each secure page should have code to verify the user is logged in. Check any of the files that are secure, like create account, and copy the code block that checks if the customer is registered to your new page. When the page is copied, the login status will be checked and you won't be able to continue unless logged in. If the url contains the session ID, then that is a different problem and you need to fix that before anything else.

[vinnie@krystal]

hi thats great i thought it would require some sort of verification on each page being visited and so you have confirmed this for me. reference RG being turned on i will check out the link you have provided spooks although i am certain the RG are set to off.

[Java Roasters]

Try adding this at the top of the pages you need to only have logged in people view. It is the same as on all the SSL pages in osC such as account_edit.php which you can view for a reference.

  if (!tep_session_is_registered('customer_id')) {
    $navigation->set_snapshot();
    tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));
  }

[vinnie@krystal]

hi i did what you asked and pasted that piece of code into the top page, for some reason i want to revert back to my previuos settings but its now not letting me do that i am just getting a login page...i.e not directed to my index.php.

can you help on why that would be..thanks

[Java Roasters]

I thought you wanted non logged in people to go to your login page. If you want them to be directed to your index.php page instead then it would be

  if (!tep_session_is_registered('customer_id')) {
    $navigation->set_snapshot();
    tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'SSL'));
  }

All I have done here is redirect it to a different page.


If you don't want the added code there, if it is not what you are looking for then you can just remove it and revert your pages back to their original form and it will be as it was before. You might need to refresh your browser.

[vinnie@krystal]

what i wanted was to stop any user from copying and then pasting the URL address once they have logged in as for security purposes all they would need to do next time is to bypass my login page by pasting the copied URL in the address bar. I have created my own login page prior to oscommerce store.

for some reason it doesnt revert back to default i think it registers it somewhere in the database which didnt allow the revert back

if (!tep_session_is_registered('customer_id'))

therefore it stores this information and even if you took this code out it creates it as a session.

[Java Roasters]

The session does expire so it should not allow them to bypass the login after about 10 minutes. Can you test it again and this time empty the sessions table (just empty, don't delete the table) in between your tests.

The session that is created stores a lot of info including if the customer is registered. The session should expire in 10 minutes (I think) and then if a person uses it after that time they should get a new session without been registered and therefore be sent back to the login page.

What you are doing will also prevent Google and other search engines from indexing your pages so your protected pages will not show up on the search engines.

[Jack_mcs]

vinnie@krystal, on 14 October 2009, 15:56, said:

what i wanted was to stop any user from copying and then pasting the URL address once they have logged in as for security purposes all they would need to do next time is to bypass my login page by pasting the copied URL in the address bar. I have created my own login page prior to oscommerce store.

As mentioned, it's a non-issue unless your session ID is being copied. If that is the case, you are "fixing" the wrong code.