SID & SSL problems

[networkdad]

Ok, in installing MS1 and doing some testing on taking CC payments, i'm running into a few problems. I believe this has to do with SID's.

 

OSC = MS1 with sid killer 1.2 installed

This is using my OWN ssl cert, not a shared ssl.

 

Test transaction results:

 

When SSL = True (configure.php)

 

Browser set to block all cookies: - redirects to https://www.healthyharvest.com/ms1/login.php - page is complete

 

Broser set to accept all cookies: - redirects to https://www.healthyharvest.com/ms1/login.php , but page is blank

 

When SSL = False (configure.php)

Browser set to block all cookies: - Successfull transaction

Browser set to accept cookies - Successfull transaction

 

Obviously, i'd like to leave SSL enabled on my site so that the checkout process is secured.... Currently, i'm using a Nov15th 2002 snapshot, but i'd like to upgrade to this MS1 version in the next few weeks.

 

What's going on here between the SID, going to a new site for payment authorization, and then back to my site ?? Am i just losing the SID inbetween?

 

Is there a way to completely kill the sid, and would this be safe at all ??

[wizardsandwars]

WE have found more than just a couple issues with the SID killer, as it is currently constructed.

 

I would advise disabling it, and using the Spider Catching SID instead, for the time being.

[networkdad]

Will do...

 

Do you have the link to the spider catcher code ?? I suppose i could search..but there have been way too many topics on SID over the past 6 months..

[networkdad]

spider catcher code:

 

http://www.oscommerce.com/forums/viewtopic.php...3&highlight=sid

[networkdad]

Ok, still big problems. I removed the SID killer, installed the spider catcher, but i still have the same problem - I get redirected to /login.php with the SID attached, and the result of the credit card transaction attached

 

Example:

 

https://www.healthyharvest.com/ms1/login.ph...Csid=XXXXXX(SID ID)?Result=DECLINED

[networkdad]

Anyone ?? I cannot move forward with upgrading to MS1 until i get this issue resolved between the SID, SSL, and my CC transactions.

 

Any help is much appreciated. :)

[dreamscape]

the problem I think comes when moving from HTTP to HTTPS or back... when moveing like this with cookies enabled, there is no need to attach a SID if the servers are the same.

 

Harald was kind enough to provide me with some code awhile back to check if the servers are the same and if so, then don't use the SID:

 

you can try it... it gives me no problems.

 

open catalog /includes/functions/html_output.php

 

after the line

function tep_href_link($page = ''....

 

add in this:

 	 static $http_host, $https_host;

 

then scroll down to

// Add the session ID when moving from HTTP and HTTPS servers or when SID is defined

 

and replace that code:

if ( (ENABLE_SSL == true ) && ($connection == 'SSL') && ($add_session_id == true) ) {

$sid = tep_session_name() . '=' . tep_session_id();

} elseif ( ($add_session_id == true) && (tep_not_null(SID)) ) {

$sid = SID;

}

 

with this code:

if ($add_session_id == true) { 

 if (tep_not_null(SID)) { 

   $sid = SID; 

 } elseif ( ($connection == 'SSL') && (ENABLE_SSL == true) ) { 

   if (!isset($http_host) && !isset($https_host)) { 

     $url = parse_url(HTTP_SERVER); 

     $http_host = $url['host']; 

     $url = parse_url(HTTPS_SERVER); 

     $https_host = $url['host']; 

   } 



   if ($http_host != $https_host) { 

     $sid = tep_session_name() . '=' . tep_session_id(); 

   } 

 }        

}

 

I have done this and don't have any problems with getting logged out cause of the SID killer... BTW I still use Ians old sid killer listed in the thread... after seeing a few problems with v1.2 and no real reason for me to change (nothing new that would be of use to me), I decided I am pretty comfortable where I'm at.

[dreamscape]

also, another solution if you do not mind requiring cookies, is Harald's proposal to resolve the SID security issues:

 

http://www.oscommerce.com/forums/viewtopic.php...er=asc&start=30

 

I just installed this on an MS1 and it works pretty good, granted users with cookies disabled can't checkout... but hey its 2003 and you'd be hard pressed to find an ecommerce site not requiring cookies (any non OSC site)... OSC is so backwards as it is (maintianing PHP3 compatibility? give me a break)... its about time we started moving forward with the rest of the world... Again, many thanks to harald for providing the code on this one.

[networkdad]

also, another solution if you do not mind requiring cookies, is Harald's proposal to resolve the SID security issues:

 

http://www.oscommerce.com/forums/viewtopic.php...er=asc&start=30

 

I just installed this on an MS1 and it works pretty good, granted users with cookies disabled can't checkout... but hey its 2003 and you'd be hard pressed to find an ecommerce site not requiring cookies (any non OSC site)... OSC is so backwards as it is (maintianing PHP3 compatibility? give me a break)... its about time we started moving forward with the rest of the world... Again, many thanks to harald for providing the code on this one.

 

Excellent! Thank you for all this information, its very helpful - I'll be testing all of this, and will post results back later.

 

I have no problem requiring users to have cookies enabled to checkout - every other e-commerce site i visit requires them...no reason why i shouldnt join the bandwagon.

[networkdad]

I went with requiring cookies - works perfect now!

 

Just need to tweak some text notifying customers that cookies will be required for checkout.

 

Thank you..

 

Jason