48 replies to this topic

[FWR Media]

Many of you would have seen this post: -
What is the osCsid & why you must not loose it.
The title of this topic is very similar on purpose, partly humorous but also because the subject matter is related.

The reason I am starting this topic is that I recently saw an experienced and respected forum member give the following advice to a "low experience" user: -

Quote

Force cookies should not be used so you are correct in having it off.

I see this as dangerous or at least bad advice. There is no place in this day and age for the session to be carried via the querystring, it is a significant security hazard allowing such hack vectors as session riding etc.

Some dangers are: -

• Hackers hijacking sessions.
• Customers logging in as each other and seeing each others private details.
• Customers copying links which have the session attached then posting the link on the web. ( leading to all sorts of problems including the above ).

By forcing cookie usage you are ensuring that your shop is far more secure for your customers. Forcing cookie usage should be the standard with querystring based sessions only used by those who CAN'T force cookie usage.

There are no drawbacks to setting up a shop in this way only positives.

What about customers who have cookies off?
Quite simply you cannot shop these days with cookies off. Virtually none of the big shops work if you have this setting, try adding to cart in Amazon.com and you'll get "Please Enable Cookies in your Web Browser to Continue.". Why? because it is insecure to have the session carried via the querystring.
If one of your customers attempts to purchase with cookies set to off in their browser then they will no doubt be used to not being able to buy anything on the web.

Who can't force cookie usage?
Those who are on cheap hosting with cheap ( not full ) shared SSL certificates cannot force cookie usage. In these cases the session has to be carried in the querystring but this should be changed to force cookies just as soon as the shop can afford it.

A small note on setting this up correctly: -
If you have to have the session id in the querystring it is imperative that it is set up correctly.
In admin>Configuration>Sessions Force Cookie Use must be false and Recreate Session must be true.

Persistent osCsid: Installations with incorrectly set up configuration files may have a persistent osCsid ( the osCsid is ALWAYS attached to the querystring ) this is very dangerous and can be solved simply by setting up the configure files correctly. Don't use the "hide the osCsid" contributions as they do more harm than good.

How do I tell if it is set up correctly? Close all browsers then open a new one visiting the front of your shop. If you hover over the links you will see the osCsid attached to all URLs. Now refresh the page and hover the links, the osCsid should be gone, if it isn't then your settings are incorrect and you have the very dangerous situation of persistent session id in the querystring.

What are the required settings to force cookie usage?
A full ( not shared ) SSL certificate that has been issued using the same domain as the site is accessed.

Example: -
If the shop is accessed as www.mysite.com then the certificate has to issued to www.mysite.com
If the shop is accessed without the www ( just mysite.com ) then the certificate has to be issued as just mysite.com

If the site access and the certificate issue is mismatched then the user will see a security warning.

Once the certificate is in place the osCommerce force cookie usage session settings in admin can be changed to on.

Never again will you see a link that has the osCsid attached. ( presuming the site code is good ).

[Xpajun]

FWR Media, on 31 January 2011, 11:19, said:

Example: -
If the shop is accessed as www.mysite.com then the certificate has to issued to www.mysite.com
If the shop is accessed without the www ( just mysite.com ) then the certificate has to be issued as just mysite.com

If the site access and the certificate issue is mismatched then the user will see a security warning.

Robert,

When I initially had my SSL certificate set up, my hosting company informed me that it didn't matter whether the www. was there or not, it would work correctly.

I have to say that it seems to have...

[FWR Media]

Xpajun, on 31 January 2011, 12:43, said:

Robert,

When I initially had my SSL certificate set up, my hosting company informed me that it didn't matter whether the www. was there or not, it would work correctly.

I have to say that it seems to have...

Maybe it was a wildcard certificate? My experiance was that many years ago I had trouble with this where the client bought an SSL cert as www.mysite.com and then set up shop access as just mysite.com.

[spoofy]

I have had a similar argument not too long ago. In addition to Amazon, you can try a lot of other stores I used in my examples: Target.com, BestBuy.com, BlueFly.com, Zappos.com, Walmart.com

Julian: You were probably setup on a wildcard SSL. Regular SSL will only work on the domain name it was issued for.

Edited by spoofy, 31 January 2011, 14:24.

[toyicebear]

Actually some of the ssl certificate providers now gives you both with and without www included at no extra cost, so check around before purchasing a new SSL certificate.

[FWR Media]

toyicebear, on 31 January 2011, 15:09, said:

Actually some of the ssl certificate providers now gives you both with and without www included at no extra cost, so check around before purchasing a new SSL certificate.

Yes, good point Nick. I have just looked into this and some do offer both.

Ah well my original point still stands but users with this type of cert simply don't need to worry about it.

[ErikMM]

Thank you Robert! +

I did as instructed, but RE: "How do I tell if it is set up correctly?," it appears I am set up incorrectly.

What do I do to "set up the configure files correctly"?

Edited by ErikMM, 31 January 2011, 17:36.

[FWR Media]

ErikMM, on 31 January 2011, 17:28, said:

Thank you Robert! +

I did as instructed, but RE: "How do I tell if it is set up correctly?," it appears I am set up incorrectly.

What do I do to "set up the configure files correctly"?

Where are your files located on the server?

In the root ( site is accessed like www.mysite.com/

Or in a directory ( site is accessed like www.mysite.com/shop/ )

Also is your shop accessed using the www or without?

[ErikMM]

FWR Media, on 31 January 2011, 18:39, said:

Where are your files located on the server?

In the root ( site is accessed like www.mysite.com/

Or in a directory ( site is accessed like www.mysite.com/shop/ )

Also is your shop accessed using the www or without?

For now it is in a directory.

I am going to change it to the root as soon as I go live/start selling.

No "www."

[FWR Media]

ErikMM, on 31 January 2011, 19:49, said:

For now it is in a directory.

I am going to change it to the root as soon as I go live/start selling.

No "www."

Ok well firstly I'd recommend that you have your domain prefixed with www. but anyway: -

catalog/includes/configure.php

The below assumes: -

• Your domain is mysite.com
• You do not have SSL enabled
• The directory that you have installed the site into is named shop

  define('HTTP_SERVER', 'http://mysite.com');
  define('HTTPS_SERVER', 'http://mysite.com');
  define('ENABLE_SSL', false);
  define('HTTP_COOKIE_DOMAIN', '.mysite.com');
  define('HTTPS_COOKIE_DOMAIN', '.mysite.com');
  define('HTTP_COOKIE_PATH', '/shop/');
  define('HTTPS_COOKIE_PATH', '/shop/');
  define('DIR_WS_HTTP_CATALOG', '/shop/');
  define('DIR_WS_HTTPS_CATALOG', '/shop/');

Edited by FWR Media, 31 January 2011, 20:11.

[rwest]

Hi FWR Media,

I turned Force Cookie Usage to on, and I started getting the message You must have cookies enabled in your browser. I am using Firefox, and I do have cookies enabled. I have been searching for others with this problem, and I have found several, but no fixes. Can you help?

Thanks,
Ron

[FWR Media]

rwest, on 31 January 2011, 21:50, said:

Hi FWR Media,

I turned Force Cookie Usage to on, and I started getting the message You must have cookies enabled in your browser. I am using Firefox, and I do have cookies enabled. I have been searching for others with this problem, and I have found several, but no fixes. Can you help?

Thanks,
Ron

The SSL certificate has to be correct and the configure files have to be correct.

I can't really help without seeing the site.

[rwest]

As I couldn't get either my test site nor my production site to let me login, I'd like to get my test site working first.

My site is in a directory, and is accessed via www.mysite.com/test
My SSL cert is built on www.mysite.com

My catalog/includes/configure.php:

define('HTTP_SERVER', 'http://www.mysite.com/test');
define('HTTPS_SERVER', 'https://www.mysite/test');
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'www.mysite.com/test');
define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com/test');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');

Ron

[rwest]

Ok, I used your post above as a model to make the following changes, which now seems to be working.

-thanks

  define('HTTP_SERVER', 'http://www.mysite.com');
  define('HTTPS_SERVER', 'https://www.mysite.com');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', 'www.mysite.com');
  define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com');
  define('HTTP_COOKIE_PATH', '/test/');
  define('HTTPS_COOKIE_PATH', '/test/');
  define('DIR_WS_HTTP_CATALOG', '/test/');
  define('DIR_WS_HTTPS_CATALOG', '/test/');

rwest, on 31 January 2011, 23:28, said:

As I couldn't get either my test site nor my production site to let me login, I'd like to get my test site working first.

My site is in a directory, and is accessed via www.mysite.com/test
My SSL cert is built on www.mysite.com

My catalog/includes/configure.php:

  define('HTTP_SERVER', 'http://www.mysite.com/test');		
  define('HTTPS_SERVER', 'https://www.mysite/test');
  define('ENABLE_SSL', true);			// secure webserver for checkout procedure?
  define('HTTP_COOKIE_DOMAIN', 'www.mysite.com/test');
  define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com/test');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');

Ron

[ErikMM]

FWR Media, on 31 January 2011, 20:11, said:

Ok well firstly I'd recommend that you have your domain prefixed with www. but anyway: -

catalog/includes/configure.php

The below assumes: -

• Your domain is mysite.com
• You do not have SSL enabled
• The directory that you have installed the site into is named shop

  define('HTTP_SERVER', 'http://mysite.com');
  define('HTTPS_SERVER', 'http://mysite.com');
  define('ENABLE_SSL', false);
  define('HTTP_COOKIE_DOMAIN', '.mysite.com');
  define('HTTPS_COOKIE_DOMAIN', '.mysite.com');
  define('HTTP_COOKIE_PATH', '/shop/');
  define('HTTPS_COOKIE_PATH', '/shop/');
  define('DIR_WS_HTTP_CATALOG', '/shop/');
  define('DIR_WS_HTTPS_CATALOG', '/shop/');

I do have SSL so I did the above, but changed ENABLE_SSL to true.

I also added www @

define('HTTP_SERVER', 'http://mysite.com');
  define('HTTPS_SERVER', 'http://mysite.com');

but nothing changed at the site....still have no www, and persistent osCsid.

Edited by ErikMM, 01 February 2011, 08:32.

[pdcelec]

ErikMM, on 01 February 2011, 08:31, said:

I do have SSL so I did the above, but changed ENABLE_SSL to true.

I also added www @

define('HTTP_SERVER', 'http://mysite.com');
  define('HTTPS_SERVER', 'http://mysite.com');

but nothing changed at the site....still have no www, and persistent osCsid.

define('HTTP_SERVER', 'http://mysite.com');
define('HTTPS_SERVER', 'https://mysite.com');

Edited by pdcelec, 01 February 2011, 08:45.

[ErikMM]

pdcelec, on 01 February 2011, 08:44, said:

define('HTTP_SERVER', 'http://mysite.com');
define('HTTPS_SERVER', 'https://mysite.com');

I did have the "S."

SSL seems to be fine, and www is now working/there, but the oCsid is still persistent.

Edited by ErikMM, 01 February 2011, 19:42.

[FWR Media]

ErikMM, on 01 February 2011, 19:40, said:

I did have the "S."

SSL seems to be fine, and www is now working/there, but the oCsid is still persistent.

Post the first 9 lines of the configure file as given in my posts above, also what is the directory where the shop is installed?

[ErikMM]

FWR Media, on 01 February 2011, 19:47, said:

Post the first 9 lines of the configure file as given in my posts above, also what is the directory where the shop is installed?

1.define('HTTP_SERVER', 'http://www.mysite.com');
define('HTTPS_SERVER', 'https://www.mysite.com');
define('ENABLE_SSL', true);
define('HTTP_COOKIE_DOMAIN', '.mysite.com');
define('HTTPS_COOKIE_DOMAIN', '.mysite.com');
define('HTTP_COOKIE_PATH', '/catalog/');
define('HTTPS_COOKIE_PATH', '/catalog/');
define('DIR_WS_HTTP_CATALOG', '/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/catalog/');

2. mysite.com/catalog

Edited by ErikMM, 01 February 2011, 21:22.

[FWR Media]

ErikMM, on 01 February 2011, 21:21, said:

1.define('HTTP_SERVER', 'http://www.mysite.com');
define('HTTPS_SERVER', 'https://www.mysite.com');
define('ENABLE_SSL', true);
define('HTTP_COOKIE_DOMAIN', '.mysite.com');
define('HTTPS_COOKIE_DOMAIN', '.mysite.com');
define('HTTP_COOKIE_PATH', '/catalog/');
define('HTTPS_COOKIE_PATH', '/catalog/');
define('DIR_WS_HTTP_CATALOG', '/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/catalog/');

2. mysite.com/catalog

Strange .. that is perfect .. could you PM me a link to the site please?