networkdad Posted March 6, 2003 Share Posted March 6, 2003 Ok, in installing MS1 and doing some testing on taking CC payments, i'm running into a few problems. I believe this has to do with SID's. OSC = MS1 with sid killer 1.2 installed This is using my OWN ssl cert, not a shared ssl. Test transaction results: When SSL = True (configure.php) Browser set to block all cookies: - redirects to https://www.healthyharvest.com/ms1/login.php - page is complete Broser set to accept all cookies: - redirects to https://www.healthyharvest.com/ms1/login.php , but page is blank When SSL = False (configure.php) Browser set to block all cookies: - Successfull transaction Browser set to accept cookies - Successfull transaction Obviously, i'd like to leave SSL enabled on my site so that the checkout process is secured.... Currently, i'm using a Nov15th 2002 snapshot, but i'd like to upgrade to this MS1 version in the next few weeks. What's going on here between the SID, going to a new site for payment authorization, and then back to my site ?? Am i just losing the SID inbetween? Is there a way to completely kill the sid, and would this be safe at all ?? Link to comment Share on other sites More sharing options...
wizardsandwars Posted March 6, 2003 Share Posted March 6, 2003 WE have found more than just a couple issues with the SID killer, as it is currently constructed. I would advise disabling it, and using the Spider Catching SID instead, for the time being. ------------------------------------------------------------------------------------------------------------------------- NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit. If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help. Link to comment Share on other sites More sharing options...
networkdad Posted March 6, 2003 Author Share Posted March 6, 2003 Will do... Do you have the link to the spider catcher code ?? I suppose i could search..but there have been way too many topics on SID over the past 6 months.. Link to comment Share on other sites More sharing options...
networkdad Posted March 6, 2003 Author Share Posted March 6, 2003 spider catcher code: http://www.oscommerce.com/forums/viewtopic.php...3&highlight=sid Link to comment Share on other sites More sharing options...
networkdad Posted March 6, 2003 Author Share Posted March 6, 2003 Ok, still big problems. I removed the SID killer, installed the spider catcher, but i still have the same problem - I get redirected to /login.php with the SID attached, and the result of the credit card transaction attached Example: https://www.healthyharvest.com/ms1/login.ph...Csid=XXXXXX(SID ID)?Result=DECLINED Link to comment Share on other sites More sharing options...
networkdad Posted March 8, 2003 Author Share Posted March 8, 2003 Anyone ?? I cannot move forward with upgrading to MS1 until i get this issue resolved between the SID, SSL, and my CC transactions. Any help is much appreciated. :) Link to comment Share on other sites More sharing options...
dreamscape Posted March 8, 2003 Share Posted March 8, 2003 the problem I think comes when moving from HTTP to HTTPS or back... when moveing like this with cookies enabled, there is no need to attach a SID if the servers are the same. Harald was kind enough to provide me with some code awhile back to check if the servers are the same and if so, then don't use the SID: you can try it... it gives me no problems. open catalog /includes/functions/html_output.php after the line function tep_href_link($page = ''.... add in this: static $http_host, $https_host; then scroll down to // Add the session ID when moving from HTTP and HTTPS servers or when SID is defined and replace that code: if ( (ENABLE_SSL == true ) && ($connection == 'SSL') && ($add_session_id == true) ) { $sid = tep_session_name() . '=' . tep_session_id(); } elseif ( ($add_session_id == true) && (tep_not_null(SID)) ) { $sid = SID; } with this code: if ($add_session_id == true) { if (tep_not_null(SID)) { $sid = SID; } elseif ( ($connection == 'SSL') && (ENABLE_SSL == true) ) { if (!isset($http_host) && !isset($https_host)) { $url = parse_url(HTTP_SERVER); $http_host = $url['host']; $url = parse_url(HTTPS_SERVER); $https_host = $url['host']; } if ($http_host != $https_host) { $sid = tep_session_name() . '=' . tep_session_id(); } } } I have done this and don't have any problems with getting logged out cause of the SID killer... BTW I still use Ians old sid killer listed in the thread... after seeing a few problems with v1.2 and no real reason for me to change (nothing new that would be of use to me), I decided I am pretty comfortable where I'm at. The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke Link to comment Share on other sites More sharing options...
dreamscape Posted March 8, 2003 Share Posted March 8, 2003 also, another solution if you do not mind requiring cookies, is Harald's proposal to resolve the SID security issues: http://www.oscommerce.com/forums/viewtopic.php...er=asc&start=30 I just installed this on an MS1 and it works pretty good, granted users with cookies disabled can't checkout... but hey its 2003 and you'd be hard pressed to find an ecommerce site not requiring cookies (any non OSC site)... OSC is so backwards as it is (maintianing PHP3 compatibility? give me a break)... its about time we started moving forward with the rest of the world... Again, many thanks to harald for providing the code on this one. The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke Link to comment Share on other sites More sharing options...
networkdad Posted March 9, 2003 Author Share Posted March 9, 2003 also, another solution if you do not mind requiring cookies, is Harald's proposal to resolve the SID security issues: http://www.oscommerce.com/forums/viewtopic.php...er=asc&start=30 I just installed this on an MS1 and it works pretty good, granted users with cookies disabled can't checkout... but hey its 2003 and you'd be hard pressed to find an ecommerce site not requiring cookies (any non OSC site)... OSC is so backwards as it is (maintianing PHP3 compatibility? give me a break)... its about time we started moving forward with the rest of the world... Again, many thanks to harald for providing the code on this one. Excellent! Thank you for all this information, its very helpful - I'll be testing all of this, and will post results back later. I have no problem requiring users to have cookies enabled to checkout - every other e-commerce site i visit requires them...no reason why i shouldnt join the bandwagon. Link to comment Share on other sites More sharing options...
networkdad Posted March 9, 2003 Author Share Posted March 9, 2003 I went with requiring cookies - works perfect now! Just need to tweak some text notifying customers that cookies will be required for checkout. Thank you.. Jason Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.