15 replies to this topic

[Harald Ponce de Leon]

Hi All..

What are the thoughts of requiring cookies for the session management in v3.0? The advantages of requiring cookies include:

• Enhanced security (session ID's are no longer added to URLs)
  
• Load sessions on demand (if no session cookie is present, treat user as a guest; if no language or currency exists, use the default values)
  
• Support Proxy Cache Servers (eg, Varnish)

Disadvantages:

• Cookies required

Thoughts?

[toyicebear]

If the EU Cookie laws get any stricter than they are today, then relying only on cookies can become an issue at-least for those doing business in the EU region. Imagine having to ask the customers permission to accept a cookie before he/she can add anything to their cart.

But as most of the other carts are requiring cookies and javascript enabled in the browser to work, i guess that is just the way the trend is going. EU and other regions hopefully will  take usability on the web into consideration for future "privacy" rules and regulations.

Edited by toyicebear, 22 February 2012 - 01:08 PM.

[burt]

If the cookie is absolutely necessary for the site to function, and contains no personal data, then the EU rules on cookies can pretty much be ignored.

If the cookie(s) would contain any personal data, then that could be problematic...

[mattjt83]

I have always forced cookie use on my site.  The nice thing is that the customers don't even notice that a cookie is being used.  They want a secure/simple shopping experience and cookies help to provide that.  I think as long as the customer knows that the only thing being stored is their session ID they won't mind cookies being used.  I use my privacy page to help explain cookie use although I think most customers couldn't care less about that stuff.  

[Jack_mcs]

Cookies have always had, and probably always will have, a bad reputation. Some people still do not use them, or have their browser/firewall set to limit them. I get requests fairly often from shop owners asking how to fix a problem a customer has complained about - the problem being the cookies required message. Some shop owners take the opinion that cookies are fine and if the customer doesn't want to use them, tough luck. In my opinion, the chance of losing a single sale because your shop forces a customer to change how they prefer to surf is just madness.

[toyicebear]

Jack_mcs, on 23 February 2012 - 12:29 AM, said:

Cookies have always had, and probably always will have, a bad reputation. Some people still do not use them, or have their browser/firewall set to limit them. I get requests fairly often from shop owners asking how to fix a problem a customer has complained about - the problem being the cookies required message. Some shop owners take the opinion that cookies are fine and if the customer doesn't want to use them, tough luck. In my opinion, the chance of losing a single sale because your shop forces a customer to change how they prefer to surf is just madness.

Outside of what this topic is about, but worth a mention is that the same sentiment also goes for requiring java-script to be enabled in the visitors browser for the shop to function.

[toyicebear]

But then again if cookies could be used to make the site experience "better" in terms of speed, usability and customer "customization" then that might lead to a higher conversion rate which in turn would offset the number of visitors who would not be able to shop.

[Harald Ponce de Leon]

Hi Jack..

Jack_mcs, on 23 February 2012 - 12:29 AM, said:

In my opinion, the chance of losing a single sale because your shop forces a customer to change how they prefer to surf is just madness.

If the customer has cookies disabled, is it safe to assume they would have the knowledge to set an exception to the shop if they really wanted to purchase something?

On the other hand, a customer that does not know the technical issues and copies a URL containing their session ID to share with a friend (rarely for first time visits, probable switching between http and shared-https states), will be disgruntled when they find out the friend is logged in to their session and loses trust in the shop.

Kind regards,

[Foayiid]

Quote

On the other hand, a customer that does not know the technical issues and copies a URL containing their session ID to share with a friend (rarely for first time visits, probable switching between http and shared-https states), will be disgruntled when they find out the friend is logged in to their session and loses trust in the shop.

No sense for me

I agree with the cookie session, furthermore the cookie are now mostly properly accepted by the smartphone

[Harald Ponce de Leon]

Harald Ponce de Leon, on 23 February 2012 - 08:21 AM, said:

On the other hand, a customer that does not know the technical issues and copies a URL containing their session ID to share with a friend (rarely for first time visits, probable switching between http and shared-https states), will be disgruntled when they find out the friend is logged in to their session and loses trust in the shop.

Actually, that scenario would also exist if cookies were required. Going from http to shared-https (different domain) requires the session ID to be passed back and forth otherwise the session is lost.

[toyicebear]

Would a procedure like this not make sense?

1. Once someone enters the website a cookie is attempted "set".

2. When someone initiates an action (add to cart, change language/currency) at the website the session is started and a check is run for the cookie and if it exist then use cookies for the sessions if not then append them to the url.

This would make it so that the risk of someone "copies" an url with session id attached would be minimized since no session id would exist for most visitors(guests) , only for those who had cookies set to off and also have initiated an "action" on the website.

Security wise more checks could be added too if wanted/needed like checking the session id against ip and browser id so that that even if someone copied an url with session id attached they would not "hijack" another persons session.

Edited by toyicebear, 23 February 2012 - 11:00 AM.

[Jack_mcs]

Harald Ponce de Leon, on 23 February 2012 - 08:21 AM, said:

Hi Jack..



If the customer has cookies disabled, is it safe to assume they would have the knowledge to set an exception to the shop if they really wanted to purchase something?

On the other hand, a customer that does not know the technical issues and copies a URL containing their session ID to share with a friend (rarely for first time visits, probable switching between http and shared-https states), will be disgruntled when they find out the friend is logged in to their session and loses trust in the shop.

Kind regards,

I think there are probably people that turn cookies off because they are told that is safer to do so, not knowing why, and would not change them, even if they knew how. Whether that is one person out of 100 or out of 10,000 is anyones guess.

Yes, copying session ID's is a problem as can be seen by the many posts about it on this forum. In most cases, it is just a setup problem in the configure file, session settings and tmp directory existence and/or path to it. I think all of those could be fixed by including a quick little script during, or after, the installation that checks them. Most shop owners don't know enough to check the obvious problems so doing that for them would greatly reduce the chance of a SID being copied.

[bruyndoncx]

On  a related note, on my new server environment in both php 5.2 and 5.3, the configuration setting recreate session to true doesn't work, but also generates no errors at all. After I turned it off, it all worked fine.
I'm no expert in session management, but as I understand it, this is not an issue as long as I enforce cookie usage.

[Harald Ponce de Leon]

bruyndoncx, on 06 October 2012 - 10:52 PM, said:

On  a related note, on my new server environment in both php 5.2 and 5.3, the configuration setting recreate session to true doesn't work, but also generates no errors at all. After I turned it off, it all worked fine.
I'm no expert in session management, but as I understand it, this is not an issue as long as I enforce cookie usage.

This function has been replaced in v2.3.3 to use the native PHP session_regenerate_id() function. This only works for PHP 5.1+ where it does nothing for earlier PHP versions.

Here is the relevant commit: https://github.com/osCommerce/oscommerce2/commit/c9e52a3d2801b09057e6b3f6dbca8cef311ec73c

[ecartz]

In the list of advantages, I don't see any that don't work in the current situation.  What osCommerce currently has is a setup where store owners can require cookies but do not have to do so.  If we retain things as is, then a store owner can get

Harald Ponce de Leon, on 22 February 2012 - 12:48 PM, said:

• Enhanced security (session ID's are no longer added to URLs)
  
• Load sessions on demand (if no session cookie is present, treat user as a guest; if no language or currency exists, use the default values)
  
• Support Proxy Cache Servers (eg, Varnish)

by enabling cookies (and making any other relevant configuration changes).

From a development standpoint, I think that the list of advantages is shorter.  The only one that I can see is that it makes the code simpler.  However, if we still have to support session IDs in the URL for the secure/insecure switch, then I'm not sure that it matters.  The code stays complex (although we do save a configuration check).

Obviously, the disadvantage is losing the option of allowing URL passed session IDs.

[bruyndoncx]

Harald Ponce de Leon, on 07 October 2012 - 01:11 AM, said:

This function has been replaced in v2.3.3 to use the native PHP session_regenerate_id() function. This only works for PHP 5.1+ where it does nothing for earlier PHP versions.

Here is the relevant commit: https://github.com/osCommerce/oscommerce2/commit/c9e52a3d2801b09057e6b3f6dbca8cef311ec73c

Something is funny in my installation that affects this. My custom install with the same sessions.php file as the default install wont work with the recreate set, without it, it is fine. Anyhow, something for me to debug further on my site, osC 2.3.3. is fine.