Jump to content



Photo
- - - - -

Proposal: Cookies Required


  • Please log in to reply
15 replies to this topic

#1   Harald Ponce de Leon

Harald Ponce de Leon

    Healthy Giraffe

  • Core Team
  • 4,715 posts
  • Real Name:Harald Ponce de Leon
  • Gender:Male
  • Location:Solingen, Germany

Posted 22 February 2012 - 12:48

Hi All..

What are the thoughts of requiring cookies for the session management in v3.0? The advantages of requiring cookies include:
  • Enhanced security (session ID's are no longer added to URLs)
  • Load sessions on demand (if no session cookie is present, treat user as a guest; if no language or currency exists, use the default values)
  • Support Proxy Cache Servers (eg, Varnish)

Disadvantages:
  • Cookies required

Thoughts?
Harald Ponce de Leon

#2   toyicebear

toyicebear
  • Community Sponsor
  • 6,380 posts
  • Real Name:Nick
  • Gender:Male
  • Location:World Citizen

Posted 22 February 2012 - 12:58

If the EU Cookie laws get any stricter than they are today, then relying only on cookies can become an issue at-least for those doing business in the EU region. Imagine having to ask the customers permission to accept a cookie before he/she can add anything to their cart.

But as most of the other carts are requiring cookies and javascript enabled in the browser to work, i guess that is just the way the trend is going. EU and other regions hopefully will take usability on the web into consideration for future "privacy" rules and regulations.

Edited by toyicebear, 22 February 2012 - 13:08.


#3 ONLINE   burt

burt

    Vanquisher of Demons

  • Community Team
  • 9,554 posts
  • Real Name:G Burton
  • Gender:Male
  • Location:UK/DEV/on

Posted 22 February 2012 - 14:10

If the cookie is absolutely necessary for the site to function, and contains no personal data, then the EU rules on cookies can pretty much be ignored.

If the cookie(s) would contain any personal data, then that could be problematic...

Responsive osCommerce, join in the fun:
http://forums.oscomm...rom-the-get-go/

--
Making your shop better, one osCommerce module at a time - get in touch, or get my newsletter every 1st of the month.

 

Big Bang Templates for 2.3.4


#4   mattjt83

mattjt83
  • Community Sponsor
  • 399 posts
  • Real Name:Matt Toste
  • Gender:Male
  • Location:CA, USA

Posted 22 February 2012 - 14:20

I have always forced cookie use on my site. The nice thing is that the customers don't even notice that a cookie is being used. They want a secure/simple shopping experience and cookies help to provide that. I think as long as the customer knows that the only thing being stored is their session ID they won't mind cookies being used. I use my privacy page to help explain cookie use although I think most customers couldn't care less about that stuff. /smile.png' class='bbc_emoticon' alt=':)' />

#5   Jack_mcs

Jack_mcs
  • Members
  • 26,421 posts
  • Real Name:Jack York
  • Gender:Male
  • Location:Michigan

Posted 23 February 2012 - 00:29

Cookies have always had, and probably always will have, a bad reputation. Some people still do not use them, or have their browser/firewall set to limit them. I get requests fairly often from shop owners asking how to fix a problem a customer has complained about - the problem being the cookies required message. Some shop owners take the opinion that cookies are fine and if the customer doesn't want to use them, tough luck. In my opinion, the chance of losing a single sale because your shop forces a customer to change how they prefer to surf is just madness.

#6   toyicebear

toyicebear
  • Community Sponsor
  • 6,380 posts
  • Real Name:Nick
  • Gender:Male
  • Location:World Citizen

Posted 23 February 2012 - 01:26

Cookies have always had, and probably always will have, a bad reputation. Some people still do not use them, or have their browser/firewall set to limit them. I get requests fairly often from shop owners asking how to fix a problem a customer has complained about - the problem being the cookies required message. Some shop owners take the opinion that cookies are fine and if the customer doesn't want to use them, tough luck. In my opinion, the chance of losing a single sale because your shop forces a customer to change how they prefer to surf is just madness.


Outside of what this topic is about, but worth a mention is that the same sentiment also goes for requiring java-script to be enabled in the visitors browser for the shop to function.

#7   toyicebear

toyicebear
  • Community Sponsor
  • 6,380 posts
  • Real Name:Nick
  • Gender:Male
  • Location:World Citizen

Posted 23 February 2012 - 03:13

But then again if cookies could be used to make the site experience "better" in terms of speed, usability and customer "customization" then that might lead to a higher conversion rate which in turn would offset the number of visitors who would not be able to shop.

#8   Harald Ponce de Leon

Harald Ponce de Leon

    Healthy Giraffe

  • Core Team
  • 4,715 posts
  • Real Name:Harald Ponce de Leon
  • Gender:Male
  • Location:Solingen, Germany

Posted 23 February 2012 - 08:21

Hi Jack..

In my opinion, the chance of losing a single sale because your shop forces a customer to change how they prefer to surf is just madness.


If the customer has cookies disabled, is it safe to assume they would have the knowledge to set an exception to the shop if they really wanted to purchase something?

On the other hand, a customer that does not know the technical issues and copies a URL containing their session ID to share with a friend (rarely for first time visits, probable switching between http and shared-https states), will be disgruntled when they find out the friend is logged in to their session and loses trust in the shop.

Kind regards,
Harald Ponce de Leon

#9   Foayiid

Foayiid
  • Members
  • 50 posts
  • Real Name:fred
  • Gender:Male

Posted 23 February 2012 - 09:04

On the other hand, a customer that does not know the technical issues and copies a URL containing their session ID to share with a friend (rarely for first time visits, probable switching between http and shared-https states), will be disgruntled when they find out the friend is logged in to their session and loses trust in the shop.

No sense for me

I agree with the cookie session, furthermore the cookie are now mostly properly accepted by the smartphone

#10   Harald Ponce de Leon

Harald Ponce de Leon

    Healthy Giraffe

  • Core Team
  • 4,715 posts
  • Real Name:Harald Ponce de Leon
  • Gender:Male
  • Location:Solingen, Germany

Posted 23 February 2012 - 09:26

On the other hand, a customer that does not know the technical issues and copies a URL containing their session ID to share with a friend (rarely for first time visits, probable switching between http and shared-https states), will be disgruntled when they find out the friend is logged in to their session and loses trust in the shop.


Actually, that scenario would also exist if cookies were required. Going from http to shared-https (different domain) requires the session ID to be passed back and forth otherwise the session is lost.
Harald Ponce de Leon

#11   toyicebear

toyicebear
  • Community Sponsor
  • 6,380 posts
  • Real Name:Nick
  • Gender:Male
  • Location:World Citizen

Posted 23 February 2012 - 10:59

Would a procedure like this not make sense?

1. Once someone enters the website a cookie is attempted "set".

2. When someone initiates an action (add to cart, change language/currency) at the website the session is started and a check is run for the cookie and if it exist then use cookies for the sessions if not then append them to the url.

This would make it so that the risk of someone "copies" an url with session id attached would be minimized since no session id would exist for most visitors(guests) , only for those who had cookies set to off and also have initiated an "action" on the website.

Security wise more checks could be added too if wanted/needed like checking the session id against ip and browser id so that that even if someone copied an url with session id attached they would not "hijack" another persons session.

Edited by toyicebear, 23 February 2012 - 11:00.


#12   Jack_mcs

Jack_mcs
  • Members
  • 26,421 posts
  • Real Name:Jack York
  • Gender:Male
  • Location:Michigan

Posted 23 February 2012 - 13:02

Hi Jack..



If the customer has cookies disabled, is it safe to assume they would have the knowledge to set an exception to the shop if they really wanted to purchase something?

On the other hand, a customer that does not know the technical issues and copies a URL containing their session ID to share with a friend (rarely for first time visits, probable switching between http and shared-https states), will be disgruntled when they find out the friend is logged in to their session and loses trust in the shop.

Kind regards,

I think there are probably people that turn cookies off because they are told that is safer to do so, not knowing why, and would not change them, even if they knew how. Whether that is one person out of 100 or out of 10,000 is anyones guess.

Yes, copying session ID's is a problem as can be seen by the many posts about it on this forum. In most cases, it is just a setup problem in the configure file, session settings and tmp directory existence and/or path to it. I think all of those could be fixed by including a quick little script during, or after, the installation that checks them. Most shop owners don't know enough to check the obvious problems so doing that for them would greatly reduce the chance of a SID being copied.

#13   bruyndoncx

bruyndoncx

    osCommerce Teenager

  • Members
  • 3,070 posts
  • Real Name:Carine Bruyndoncx
  • Gender:Female
  • Location:Belgium/ Antwerp/ Turnhout/ Arendonk

Posted 06 October 2012 - 22:52

On a related note, on my new server environment in both php 5.2 and 5.3, the configuration setting recreate session to true doesn't work, but also generates no errors at all. After I turned it off, it all worked fine.
I'm no expert in session management, but as I understand it, this is not an issue as long as I enforce cookie usage.
Don't just sit there - contribute to the responsive bootstrap community effort !
http://forums.oscomm...iew__getnewpost


Hava a nice day !
Carine Bruyndoncx


Seen anything good relevant on the net about responsive design for ecommerce ?
You might as well post it in my responsive liive shop review thread .

#14   Harald Ponce de Leon

Harald Ponce de Leon

    Healthy Giraffe

  • Core Team
  • 4,715 posts
  • Real Name:Harald Ponce de Leon
  • Gender:Male
  • Location:Solingen, Germany

Posted 07 October 2012 - 01:11

On a related note, on my new server environment in both php 5.2 and 5.3, the configuration setting recreate session to true doesn't work, but also generates no errors at all. After I turned it off, it all worked fine.
I'm no expert in session management, but as I understand it, this is not an issue as long as I enforce cookie usage.


This function has been replaced in v2.3.3 to use the native PHP session_regenerate_id() function. This only works for PHP 5.1+ where it does nothing for earlier PHP versions.

Here is the relevant commit: https://github.com/o...bca8cef311ec73c
Harald Ponce de Leon

#15   ecartz

ecartz
  • Members
  • 1,964 posts
  • Real Name:Matt
  • Gender:Male

Posted 07 October 2012 - 03:33

In the list of advantages, I don't see any that don't work in the current situation. What osCommerce currently has is a setup where store owners can require cookies but do not have to do so. If we retain things as is, then a store owner can get

  • Enhanced security (session ID's are no longer added to URLs)
  • Load sessions on demand (if no session cookie is present, treat user as a guest; if no language or currency exists, use the default values)
  • Support Proxy Cache Servers (eg, Varnish)

by enabling cookies (and making any other relevant configuration changes).

From a development standpoint, I think that the list of advantages is shorter. The only one that I can see is that it makes the code simpler. However, if we still have to support session IDs in the URL for the secure/insecure switch, then I'm not sure that it matters. The code stays complex (although we do save a configuration check).

Obviously, the disadvantage is losing the option of allowing URL passed session IDs.
Always backup before making changes.

#16   bruyndoncx

bruyndoncx

    osCommerce Teenager

  • Members
  • 3,070 posts
  • Real Name:Carine Bruyndoncx
  • Gender:Female
  • Location:Belgium/ Antwerp/ Turnhout/ Arendonk

Posted 07 October 2012 - 18:26

This function has been replaced in v2.3.3 to use the native PHP session_regenerate_id() function. This only works for PHP 5.1+ where it does nothing for earlier PHP versions.

Here is the relevant commit: https://github.com/o...bca8cef311ec73c

Something is funny in my installation that affects this. My custom install with the same sessions.php file as the default install wont work with the recreate set, without it, it is fine. Anyhow, something for me to debug further on my site, osC 2.3.3. is fine.
Don't just sit there - contribute to the responsive bootstrap community effort !
http://forums.oscomm...iew__getnewpost


Hava a nice day !
Carine Bruyndoncx


Seen anything good relevant on the net about responsive design for ecommerce ?
You might as well post it in my responsive liive shop review thread .