Latest News: (loading..)

smiler99

Member Since 23 Sep 2008
Offline Last Active Sep 17 2011, 21:32

Find content

Community Stats

Group Community Member
Active Posts 59 (0.05 per day)
Most Active In General Add-Ons Support (22 posts)
Profile Views 5,889
Age Age Unknown
Birthday Birthday Unknown
Real Name
chris
Gender
Male

Contact Information

Website URL http://www.fireplace2u.co.uk
ICQ smiler99

0 Neutral

Friends

smiler99 hasn't added any friends yet.

Latest Visitors

tgiannop
23 Nov 2011, 19:10
Tom172
09 Oct 2011, 10:33
Jan Zonjee
12 May 2011, 22:32
DarrenDunnage
06 Oct 2009, 08:25
PiLLaO
12 Sep 2009, 07:06

Posts I've Made

In Topic: Lose Session Details Between http and https Page of the Catalog?

18 August 2011, 17:46

germ, on 17 August 2011, 21:04, said:

The site works for me and my browsers (IE7 and FF3.0)

You could try setting "Force Cookie Use" to true and changing the cookie domains to:

  define('HTTP_COOKIE_DOMAIN', 'www.fireplace2u.co.uk');
  define('HTTPS_COOKIE_DOMAIN', 'www.fireplace2u.co.uk');

If that doesn't help I don't have a clue.
:blush:

Germ, thanks for trying, further information if this helps

when i try i retain OSCSID as a value in the url (this only happens when moving through secure pages) - not sure i this is the same for you

when my colleague tries they lose the oscsid

to also add i have set recreate session to false, i continue to work ok, but y colleague still loses his cart

my configure.php files are ok and checked against every other post regarding this issue, which seems to fx the issue for most people

i hate being beat!, i will continue to investigate, however as i am sure you are aware it is extremely difficult to fix a problem that i cant replicate..

chris.

In Topic: Lose Session Details Between http and https Page of the Catalog?

17 August 2011, 20:53

hi Germ,

I am having a similar but slightly wierd problem

i can add an item to my cart, goto basket which shows the item,continue to checkout, login and continue to shipping etc. no problems (ie 8)

a colleague adds an item to cart, goes to checkout, logs in but cart then shows empty, if they go back to a non ssl page then the item shows back in cart ? they also use IE but not sure which version

the issue is that i dont know how many users can / cant get to checout and therefore dont know how many sales im losing, we do get visitors with baskets and no sale but that would happen anyway. Do you have any suggestions.

config is set to

define('HTTP_SERVER', 'http://www.fireplace2u.co.uk');
define('HTTPS_SERVER', 'https://www.fireplace2u.co.uk');
define('ENABLE_SSL', 'true');
define('HTTP_COOKIE_DOMAIN', '.fireplace2u.co.uk');
define('HTTPS_COOKIE_DOMAIN', '.fireplace2u.co.uk');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');

session admin is set to

Session Directory /tmp/
Force Cookie Use False
Check SSL Session ID True
Check User Agent False
Check IP Address False
Prevent Spider Sessions True
Recreate Session True
Session Lifetime 60

many thanks

In Topic: Updated spiders.txt Official Support Topic

14 August 2011, 16:04

Steve,

I am getting lots of vosits from users who have SIMBAR in their user agent, from what i have read it appears that these users have some sort of malware/adware on their system. Should i be concerned in any way, should i block any user with SIMBAR in their user agent.

In Topic: Updated Security Thread

08 August 2011, 22:08

Quote

Putting user authentication protection on the admin directory is the best policy, and you can also change the name of the admin directory as an added security.

already done

, 3 years in and i cross my fingers that i have not had any hacks, (plenty of attempts but nothing thats taken over)

im simply looking to ensure that any PCI compliance passes, and to continue to be one step ahead where i can to ensure google never gets the opportunity to flag my site as containing malicious code.

In Topic: Updated Security Thread

07 August 2011, 16:47

Hi Taipo

I have installed OSC_Sec (and for those that have some slight descrepecies in \includes\Application_Top.php)

this is the code i had in application_top which i removed

// set php_self in the local scope
 // commented out for OSC_SEC  $PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']);

and replaced with

// set php_self in the local scope
  if( !isset( $PHP_SELF ) ) {
    if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;
    $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );
  }

Now - Results!

Sec_pro succesfully produced a significant drop in vulnarability Alerts, infact if fixed all vunerabilities with the exception of one

any attack that uses 1<script/acu src=//testphp.vulnweb.com/xss.js?993871></ScRiPt> remained an issue, having looked at the post blacklistings in OSC_Sec.php i can see that this attack is not covered, i dont see any blacklist that captures <script>, i suspect this is known but i dont understand why it would be missing, i cant see any reason for <script> being used in any input form - Taipo can you advise if there are any reason why i shouldnt add a check for <script> in the blacklist

1 last point - whilst testing, switch of ipban / htaccess ban or add your ip to the exclude list otherwise you keep banning yourself and have to remove your ip from the ban list!!