50 replies to this topic

[FWR Media]

@erikMM

I checked your site there is nothing wrong with it.

On first load the osCsid is present, refresh and it is gone, this is standard operation. The only way to get rid of the osCsid totally is forcing cookie use.

[Biancoblu]

Thank you for this interesting topic. I recognize myself in the "low experienced user advised to keep force cookie usage set to off".

I have a question about my site...you say:

Quote

How do I tell if it is set up correctly? Close all browsers then open a new one visiting the front of your shop. If you hover over the links you will see the osCsid attached to all URLs. Now refresh the page and hover the links, the osCsid should be gone, if it isn't then your settings are incorrect and you have the very dangerous situation of persistent session id in the querystring.

My shop behaves like this, ie when I hover on the links I have the osCid in all urls, when I refresh and hover again, they're gone.
However these are my settings:

force cookie use: false
recreate session: false

If I set force cookie use to true, I lose the osCid completely.

I have a private SSL set up for www.mysite.com, which is the address my shop is accessed from, and my config file is like this:

define('HTTP_SERVER', 'http://www.mysite.com'); 
  define('HTTPS_SERVER', 'https://www.mysite.com');
  define('ENABLE_SSL', true); 
  define('HTTP_COOKIE_DOMAIN', '.mysite.com');
  define('HTTPS_COOKIE_DOMAIN', '.mysite.com');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');
  define('DIR_WS_HTTP_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');

Are there errors anywhere? and what about the fact that I have force cookie use set to off and the shop still behaves they way you say it should?

[FWR Media]

Biancoblu, on 02 February 2011 - 12:51 PM, said:

Thank you for this interesting topic. I recognize myself in the "low experienced user advised to keep force cookie usage set to off".

I have a question about my site...you say:


My shop behaves like this, ie when I hover on the links I have the osCid in all urls, when I refresh and hover again, they're gone.
However these are my settings:

force cookie use: false
recreate session: false

If I set force cookie use to true, I lose the osCid completely.

Sounds like your shop is working perfectly and when you set force cookie use to true you should never see the osCsid in the url.

Quote

Are there errors anywhere? and what about the fact that I have force cookie use set to off and the shop still behaves they way you say it should?

All looks fine to me, if the shop all works perfectly with force cookie use set to true then I'd leave it like that. A good test is when changing from NON SSL to SSL .. like ..

1) Make sure you are logged out then add a product to cart.
2) Log in as a customer ( you should now be on SSL )
3) Check that the cart still contains its contents.

If the cart is correct then all seems to be working.

[Biancoblu]

Thank you for replying.

Quote

All looks fine to me, if the shop all works perfectly with force cookie use set to true then I'd leave it like that.

you meant to say force cookie set to false, right? which is how mine is set, just making sure I understand.

Quote

1) Make sure you are logged out then add a product to cart.
2) Log in as a customer ( you should now be on SSL )
3) Check that the cart still contains its contents.

I tried and yes it works exactly like that.


So what is the reason behind the fact that sometimes it works fine with force cookie use set to false, and sometimes not?

[FWR Media]

Biancoblu, on 02 February 2011 - 01:23 PM, said:

So what is the reason behind the fact that sometimes it works fine with force cookie use set to false, and sometimes not?

I haven't seen you describe this.

Could you explain to me exactly what happens when sometimes it doesn't work fine.

Edited by FWR Media, 02 February 2011 - 01:36 PM.

[Biancoblu]

Sorry I explained myself poorly.
What I meant is you advise to set force cookie use to true as you say it's safer then describe how the shop should behave when it is properly set up.
I just notice that mine behaves the way it should even though I have force cookie use set to false ( which you said is unsafe in your first post ), so I'm wondering why some sites like mine behave "well" with force cookie set to false whilst others seemingly have a problem.

Edited by Biancoblu, 02 February 2011 - 01:41 PM.

[FWR Media]

Biancoblu, on 02 February 2011 - 01:40 PM, said:

Sorry I explained myself poorly.
What I meant is you advise to set force cookie use to true as you say it's safer then describe how the shop should behave when it is properly set up.
I just notice that mine behaves the way it should even though I have force cookie use set to false ( which you said is unsafe in your first post ), so I'm wondering why some sites like mine behave "well" with force cookie set to false whilst others seemingly have a problem.

I described this in the first post.

Whether or not osCommerce is functioning correctly or not with force cookie use off is not the point.

Without force cookies use set to true the customers session is initially at least carried by the querystring, this is insecure. Session hijacking, fixation and riding etc. can occur where a url complete with session id is posted on an external site, this could be a hacker attempting to provide you with a session id that they can then manipulate or it could be just an unknowing customer copying a link from the site.


If force cookies is set to true the session cannot be manipulated via the querystring as it is carried in the users browser, this is more secure for the shop and more secure for the customer.

Edited by FWR Media, 02 February 2011 - 02:07 PM.

[Biancoblu]

Forgive my ignorance on cookies and querystrings but I am really confused. I had my shop set up with force cookie use set to false because a developer did it 5 years ago and I never questioned it.

I thought you were telling me before to leave it set to false, I obviously misread you.

You said the shop is set up correctly when you see the oscID on hovering then when you refresh, it disappears. My shop behaves like that ONLY with force cookies set to false, when I set it true, I see no oscId on hovering, I see no oscId at all anywhere. Is that the way it should be? Is the point of it all NOT to see an osCid attached in the url?

Sorry again for all the questions/confusion.

[spoofy]

Robert,

A quick question for you. I have had the oscommerce installation on several locations throughout the testing period and even for development I run a copy locally here, one of on in-house server and one on the internet (point being that I have several different installations of oscommerce).

I have NEVER seen the oscsid pass through querystring. I can see the cookies work perfectly fine. I can view the cookie data etc in the browser. I have tried this on several browsers and have never seen the oscsid.

[FWR Media]

Biancoblu, on 02 February 2011 - 02:25 PM, said:

Forgive my ignorance on cookies and querystrings but I am really confused. I had my shop set up with force cookie use set to false because a developer did it 5 years ago and I never questioned it.

I thought you were telling me before to leave it set to false, I obviously misread you.

You said the shop is set up correctly when you see the oscID on hovering then when you refresh, it disappears. My shop behaves like that ONLY with force cookies set to false, when I set it true, I see no oscId on hovering, I see no oscId at all anywhere. Is that the way it should be? Is the point of it all NOT to see an osCid attached in the url?

Sorry again for all the questions/confusion.

Force cookie use true and no osCsid in the querystring is perfect ( so long as the shop still works ).

[FWR Media]

spoofy, on 02 February 2011 - 02:25 PM, said:

Robert,

A quick question for you. I have had the oscommerce installation on several locations throughout the testing period and even for development I run a copy locally here, one of on in-house server and one on the internet (point being that I have several different installations of oscommerce).

I have NEVER seen the oscsid pass through querystring. I can see the cookies work perfectly fine. I can view the cookie data etc in the browser. I have tried this on several browsers and have never seen the oscsid.

If osCommerce is set up as force cookies false then the session is initially passed via the querystring until such time as the cookie is in place ( one page reload if set up correctly ).

If you close all browser windows ( to lose all sessions ) then open a fresh one browsing directly to one of your osCommerce installations .. then hover over a link you will see the osCsid appended to the url, click on that link and you will also see the osCsid in the address bar at the top.

Edited by FWR Media, 02 February 2011 - 02:35 PM.

[Biancoblu]

FWR Media, on 02 February 2011 - 02:31 PM, said:

Force cookie use true and no osCsid in the querystring is perfect ( so long as the shop still works ).

Thanks for your patience, I appreciate it.

[rwest]

I just noticed that I am getting a osCAdminId string on my admin side.  Everything is working on my catalog side.  Is this probably related to something misconfigured in my admin/includes/configure.php file?

[spoofy]

FWR Media, on 02 February 2011 - 02:35 PM, said:

If osCommerce is set up as force cookies false then the session is initially passed via the querystring until such time as the cookie is in place ( one page reload if set up correctly ).

If you close all browser windows ( to lose all sessions ) then open a fresh one browsing directly to one of your osCommerce installations .. then hover over a link you will see the osCsid appended to the url, click on that link and you will also see the osCsid in the address bar at the top.

I should've mentioned that I always use force cookie usage. And I have cleared my cookies and tried it and have never seen the querystring on any of the links. Is that normal with force cookie usage?

[FWR Media]

spoofy, on 02 February 2011 - 03:34 PM, said:

I should've mentioned that I always use force cookie usage. And I have cleared my cookies and tried it and have never seen the querystring on any of the links. Is that normal with force cookie usage?

If you read my posts including the one immediately above it will become apparent that with force cookies true there is no querystring session id.

[spoofy]

FWR Media, on 02 February 2011 - 03:42 PM, said:

If you read my posts including the one immediately above it will become apparent that with force cookies true there is no querystring session id.

Yea. Just wanted to double check.  

[ErikMM]

FWR Media, on 02 February 2011 - 07:50 AM, said:

@erikMM

I checked your site there is nothing wrong with it.

On first load the osCsid is present, refresh and it is gone, this is standard operation. The only way to get rid of the osCsid totally is forcing cookie use.

Weird...worked for me today as well. It may be my damn Web Developer. I might have had the cookie settings wrong. I played with Web Developer for another site today, then visited my site. Works great now.

Now for your SEO!

Thanks

[rwest]

rwest, on 02 February 2011 - 03:15 PM, said:

I just noticed that I am getting a osCAdminId string on my admin side.  Everything is working on my catalog side.  Is this probably related to something misconfigured in my admin/includes/configure.php file?

Can someone give me an example admin/includes/configure.php for a store installed in a directory?  I access it at www.mysite.com/test.  I am still getting the osCAdminID string on the admin side (not the osCsid string), and nothing I have tried works.

[ErikMM]

rwest, on 03 February 2011 - 02:23 PM, said:

Can someone give me an example admin/includes/configure.php for a store installed in a directory?  I access it at www.mysite.com/test.  I am still getting the osCAdminID string on the admin side (not the osCsid string), and nothing I have tried works.

I really don't think it matters on the Admin side...hopefully you are the only administrator and you aren't sharing any of those admin links with anyone...its the catalog side that matters, admin is for your eyes only so don't sweat it.

[ErikMM]

FWR Media, on 02 February 2011 - 07:50 AM, said:

@erikMM

I checked your site there is nothing wrong with it.

On first load the osCsid is present, refresh and it is gone, this is standard operation. The only way to get rid of the osCsid totally is forcing cookie use.

So here's a new one: I just installed your Ultimate 5, and KissMT. Now I don't see the osCsid at all, even on the first hover. All was well/perfect as mentioned a few posts above, but after the install I can't see the osCsid at all on the first load. I assuming all is well, but that little reassurance of actually seeing the osCsid on the first load is now gone or not apparent to me.