Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Sign in to follow this  
Guest

[Contribution] Session Regeneration

Recommended Posts

Guest

I see, opent your catalog\includes\functions\sessions.php locate this code

 

//-MS- Add session regeneration
 function tep_session_regenerate() {
global $SID, $navigation;
if (PHP_VERSION > 4.3) {

 

change it to this

//-MS- Add session regeneration
 function tep_session_regenerate() {
global $SID, $navigation;
if (PHP_VERSION >= '4.3.2') {

 

I did not check the version string properly so it had no effect with versions less than 4.4.

Share this post


Link to post
Share on other sites
I see, opent your catalog\includes\functions\sessions.php locate this code

 

//-MS- Add session regeneration
 function tep_session_regenerate() {
global $SID, $navigation;
if (PHP_VERSION > 4.3) {

 

change it to this

//-MS- Add session regeneration
 function tep_session_regenerate() {
global $SID, $navigation;
if (PHP_VERSION >= '4.3.2') {

 

I did not check the version string properly so it had no effect with versions less than 4.4.

 

 

After making this small change, it's now working just fine! :D

Thanks Again

Steel

Share this post


Link to post
Share on other sites
Guest

allright, I'll incorporate the php version fix with the next release.

 

I tried the other things to improve session recreation with visitor coming from outside right from the start, but none of these brought concrete results so far. They raise more issues than solutions. So I do not recommend any of those mentioned earlier to enhance the contribution.

Share this post


Link to post
Share on other sites
allright, I'll incorporate the php version fix with the next release.

 

I tried the other things to improve session recreation with visitor coming from outside right from the start, but none of these brought concrete results so far. They raise more issues than solutions. So I do not recommend any of those mentioned earlier to enhance the contribution.

 

Well, we were talking about the situation where multiple clients would accidentally pick up the same session id from an external source like SE indexes and thus share that session id and potential sensitive information.

 

The simple referer check takes ample care of those situations. (refresh does not change the referer and there is no cart contents to be lost as this check is done at site entry and not much later at signin).

 

Even a little variant like this one:

 

if (isset($_GET[tep_session_name()])) {
 // session active?
 if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) unset($_GET[tep_session_name()]);
}

would do the trick.

 

You stated that checking the referer will no longer work after someone clicked around for a while because then the referer check becomes void.

 

Absolutely true, but then you are talking about a totally different scenario, then you are talking about deliberately trying to hijack a session by manually inserting or overwriting the session id in the url while already on the site.

 

While that is possible, it would take a very lucky guess to come up with an existing session id that way, the odds of finding one that is used by someone else are far lower than any known lottery scheme.

 

As such I believe that, while your solution may be an improvement over the default osc solution, it still remains a partial solution for a problem which virtually does not exist.


Treasurer MFC

Share this post


Link to post
Share on other sites
Guest
Well, we were talking about the situation where multiple clients would accidentally pick up the same session id from an external source like SE indexes and thus share that session id and potential sensitive information.

 

The simple referer check takes ample care of those situations. (refresh does not change the referer and there is no cart contents to be lost as this check is done at site entry and not much later at signin).

 

Even a little variant like this one:

 

if (isset($_GET[tep_session_name()])) {
 // session active?
 if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) unset($_GET[tep_session_name()]);
}

would do the trick.

 

You stated that checking the referer will no longer work after someone clicked around for a while because then the referer check becomes void.

 

Absolutely true, but then you are talking about a totally different scenario, then you are talking about deliberately trying to hijack a session by manually inserting or overwriting the session id in the url while already on the site.

 

While that is possible, it would take a very lucky guess to come up with an existing session id that way, the odds of finding one that is used by someone else are far lower than any known lottery scheme.

 

As such I believe that, while your solution may be an improvement over the default osc solution, it still remains a partial solution for a problem which virtually does not exist.

 

There're several problems I've seen so far. One of them which I mentioned earlier was that the code you posted won't work between ssl/non-ssl transitions, because you will unset the session id due to the referer being different. So now you need to compare secure non-secure servers. Also I'm uncertain with the implications doing this with other contributions installed like multi-stores. I haven't studied every scenario but you may have to add quite some code there to cover each case. The code of this contribution utilizes the existing part of the osc functionality. It simply recreates the session just on 2 cases. Create Account and Login. And should work for every store regardless of configuration.

Share this post


Link to post
Share on other sites
As such I believe that, while your solution may be an improvement over the default osc solution, it still remains a partial solution for a problem which virtually does not exist.

 

 

 

Do a simple search (it's the little box at the top of the screen that says "Search") and you will find this can and does happen. I own mulitple stores and in 2 of the stores out of a few thousand orders it has happen at least 3 or 4 times. But, even 1 time is too many when it comes to a situation like this!

 

Read OR Re-Read Post 17 and 18 in this thread.

Edited by Steel

Share this post


Link to post
Share on other sites
There're several problems I've seen so far. One of them which I mentioned earlier was that the code you posted won't work between ssl/non-ssl transitions, because you will unset the session id due to the referer being different. So now you need to compare secure non-secure servers. Also I'm uncertain with the implications doing this with other contributions installed like multi-stores. I haven't studied every scenario but you may have to add quite some code there to cover each case. The code of this contribution utilizes the existing part of the osc functionality. It simply recreates the session just on 2 cases. Create Account and Login. And should work for every store regardless of configuration.

 

ssl an non ssl is a simple request_type check ofcourse.

 

the above example enables ignoring any passed session id if the session does not already exist in the system and as such was issued by the system and is still active.

(in this case file based sessions but sql based is just as simple).

So no indexed session id or manually inserted session id could become active unless it already is.


Treasurer MFC

Share this post


Link to post
Share on other sites
Do a simple search (it's the little box at the top of the screen that says "Search") and you will find this can and does happen. I own mulitple stores and in 2 of the stores out of a few thousand orders it has happen at least 3 or 4 times. But, even 1 time is too many when it comes to a situation like this!

 

Read OR Re-Read Post 17 and 18 in this thread.

 

no need to re-read as both my simple statements make all your scenario's void.


Treasurer MFC

Share this post


Link to post
Share on other sites
Guest
ssl an non ssl is a simple request_type check ofcourse.

 

the above example enables ignoring any passed session id if the session does not already exist in the system and as such was issued by the system and is still active.

(in this case file based sessions but sql based is just as simple).

So no indexed session id or manually inserted session id could become active unless it already is.

If you already have the complete application_top.php with the changes you mentioned (including the dbase session access) post it here so I can test your latest code and the things you're saying. But my opinion is you have to make significant changes. And don't forget the $_POST array where sessions can always come from there. ie cases where user sits on a form page, session expires etc.

 

ssl an non ssl is a simple request_type check ofcourse.

It's the too many loopholes I'm afraid of.

Share this post


Link to post
Share on other sites
If you already have the complete application_top.php with the changes you mentioned (including the dbase session access) post it here so I can test your latest code and the things you're saying. But my opinion is you have to make significant changes. And don't forget the $_POST array where sessions can always come from there. ie cases where user sits on a form page, session expires etc.

It's the too many loopholes I'm afraid of.

 

 

I would suggest that you test my site, refuse cookies so you can see the session id in the url and then try whatever you want to try to activate a session or hijack a session (not you own session ofcourse as that is playing the lottery with the winning ticket).

 

if you then are satisfied that it works, then I will post the exact implementation code (without the sql based session access).


Treasurer MFC

Share this post


Link to post
Share on other sites

Hello,

 

I have installed the session regeneration....the only problem I have is

 

when the customer goes to log in at "logn.php" (they enter thier email and password)

 

it only works if they got to the login page by clicking in the header "myaccount" next to shopping cart.

 

So if you weren't logged in and you purchase some products then checkout, when it

prompts you for an email and password it doesn't work.

 

Can anyone help please >_<

 

it also happens if you get to the login page through "reviews " and after the conformation page(after a customer finishes purchasing a product and it comes up with the login page).

 

this is the log in page.....

<?php

/*

$Id: login.php,v 1.80 2003/06/05 23:28:24 hpdl Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

 

require('includes/application_top.php');

 

// redirect the customer to a friendly cookie-must-be-enabled page if cookies are disabled (or the session has not started)

if ($session_started == false) {

tep_redirect(tep_href_link(FILENAME_COOKIE_USAGE));

}

 

require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_LOGIN);

 

$error = false;

$error_blacklisted = false;

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process')) {

$email_address = tep_db_prepare_input($HTTP_POST_VARS['email_address']);

$password = tep_db_prepare_input($HTTP_POST_VARS['password']);

 

// Check if email exists

$check_customer_query = tep_db_query("select customers_id, customers_firstname, customers_lastname, customers_password, customers_email_address, customers_default_address_id from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "'");

if (!tep_db_num_rows($check_customer_query)) {

$error = true;

} else {

$check_customer = tep_db_fetch_array($check_customer_query);

// Check that password is good

if (!tep_validate_password($password, $check_customer['customers_password'])) {

$error = true;

} else {

$blacklist_query = tep_db_query("SELECT c.customers_id, b.customers_id, b.ban_customer, b.description FROM " . TABLE_CUSTOMERS . " c, " . TABLE_BLACKLIST . " b WHERE b.customers_id = '" . $check_customer['customers_id'] ."'");

$blacklisted = tep_db_fetch_array($blacklist_query);

 

if ($blacklisted['ban_customer'] == true)

{

$error = true;

$error_blacklisted = true;

 

tep_db_query("update " . TABLE_BLACKLIST . " set attempted_use = '1' where customers_id = '" . $check_customer['customers_id'] . "'");

 

$email_body = 'The following blacklisted person tried to login:' . "\n\n\t" . $check_customer['customers_firstname'] . ' ' . $check_customer['customers_lastname'];

tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Attempted login by blacklisted visitor', $email_body, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

} else {

if (SESSION_RECREATE == 'True') {

tep_session_recreate();

}

 

$check_country_query = tep_db_query("select entry_country_id, entry_zone_id from " . TABLE_ADDRESS_BOOK . " where customers_id = '" . (int)$check_customer['customers_id'] . "' and address_book_id = '" . (int)$check_customer['customers_default_address_id'] . "'");

$check_country = tep_db_fetch_array($check_country_query);

 

$customer_id = $check_customer['customers_id'];

$customer_default_address_id = $check_customer['customers_default_address_id'];

$customer_first_name = $check_customer['customers_firstname'];

$customer_country_id = $check_country['entry_country_id'];

$customer_zone_id = $check_country['entry_zone_id'];

tep_session_register('customer_id');

tep_session_register('customer_default_address_id');

tep_session_register('customer_first_name');

tep_session_register('customer_country_id');

tep_session_register('customer_zone_id');

 

tep_db_query("update " . TABLE_CUSTOMERS_INFO . " set customers_info_date_of_last_logon = now(), customers_info_number_of_logons = customers_info_number_of_logons+1 where customers_info_id = '" . (int)$customer_id . "'");

 

// restore cart contents

$cart->restore_contents();

 

if (sizeof($navigation->snapshot) > 0) {

$origin_href = tep_href_link($navigation->snapshot['page'], tep_array_to_string($navigation->snapshot['get'], array(tep_session_name())), $navigation->snapshot['mode']);

$navigation->clear_snapshot();

tep_redirect($origin_href);

} else {

tep_redirect(tep_href_link(FILENAME_DEFAULT));

}

}

}

}

}

 

if ($error == true) {

if ($error_blacklisted == true)

$messageStack->add('login', 'You have been banned from this site. Please contact the shop owner for further details.');

else

$messageStack->add('login', TEXT_LOGIN_ERROR);

}

 

$breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_LOGIN, '', 'SSL'));

?>

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">

<html <?php echo HTML_PARAMS; ?>>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">

<title><?php echo TITLE; ?></title>

<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">

<link rel="stylesheet" type="text/css" href="stylesheet.css">

<script language="javascript"><!--

function session_win() {

window.open("<?php echo tep_href_link(FILENAME_INFO_SHOPPING_CART); ?>","info_shopping_cart","height=460,width=430,toolbar=no,statusbar=no,scrollbars=yes").focus();

}

//--></script>

</head>

<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0">

<!-- header //-->

<?php require(DIR_WS_INCLUDES . 'header.php'); ?>

<!-- header_eof //-->

 

<!-- body //-->

<table border="0" width="100%" cellspacing="0" cellpadding="0">

<tr>

<td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="90%" cellspacing="0" cellpadding="0">

<!-- left_navigation //-->

<?php require(DIR_WS_INCLUDES . 'column_left.php'); ?>

<!-- left_navigation_eof //-->

</table></td>

<!-- body_text //-->

<td width="100%" valign="top"><?php echo tep_draw_form('login', tep_href_link(FILENAME_LOGIN, 'action=process', 'SSL')); ?><table border="0" width="100%" cellspacing="0" cellpadding="6">

<tr>

<td><table border="0" width="100%" cellspacing="0" cellpadding="0">

<tr>

<td align="center" class="pageHeading"><?php //echo HEADING_TITLE; ?></td>

<td class="pageHeading" align="right"><?php//echo tep_image(DIR_WS_IMAGES . 'table_background_login.gif', HEADING_TITLE, HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td>

</tr>

</table></td>

</tr>

<tr>

<td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>

</tr>

<?php

if ($messageStack->size('login') > 0) {

?>

<tr>

<td><?php echo $messageStack->output('login'); ?></td>

</tr>

<tr>

<td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>

</tr>

<?php

}

 

if ($cart->count_contents() > 0) {

?>

<tr>

<td class="smallText"><?php echo TEXT_VISITORS_CART; ?></td>

</tr>

<tr>

<td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>

</tr>

<?php

}

?>

<tr>

<td><table border="0" width="100%" cellspacing="0" cellpadding="2">

<tr>

<td class="main" width="50%" valign="top"><b><?php echo HEADING_NEW_CUSTOMER; ?></b></td>

<td class="main" width="50%" valign="top"><b><?php echo HEADING_RETURNING_CUSTOMER; ?></b></td>

</tr>

<tr>

<td width="50%" height="100%" valign="top"><table border="0" width="100%" height="100%" cellspacing="1" cellpadding="2" class="infoBox">

<tr class="infoBoxContents">

<td><table border="0" width="100%" height="100%" cellspacing="0" cellpadding="2">

<tr>

<td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>

</tr>

<tr>

<td class="main" valign="top"><?php echo TEXT_NEW_CUSTOMER . '<br><br>' . TEXT_NEW_CUSTOMER_INTRODUCTION; ?></td>

</tr>

<tr>

<td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>

</tr>

<tr>

<td><table border="0" width="100%" cellspacing="0" cellpadding="2">

<tr>

<td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>

<td align="right"><?php echo '<a href="' . tep_href_link(FILENAME_CREATE_ACCOUNT, '', 'SSL') . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a>'; ?></td>

<td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>

</tr>

</table></td>

</tr>

</table></td>

</tr>

</table></td>

<td width="50%" height="100%" valign="top"><table border="0" width="100%" height="100%" cellspacing="1" cellpadding="2" class="infoBox">

<tr class="infoBoxContents">

<td><table border="0" width="100%" height="100%" cellspacing="0" cellpadding="2">

<tr>

<td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>

</tr>

<tr>

<td class="main" colspan="2"><?php echo TEXT_RETURNING_CUSTOMER; ?></td>

</tr>

<tr>

<td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>

</tr>

<tr>

<td class="main"><b><?php echo ENTRY_EMAIL_ADDRESS; ?></b></td>

<td class="main"><?php echo tep_draw_input_field('email_address'); ?></td>

</tr>

<tr>

<td class="main"><b><?php echo ENTRY_PASSWORD; ?></b></td>

<td class="main"><?php echo tep_draw_password_field('password'); ?></td>

</tr>

<tr>

<td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>

</tr>

<tr>

<td class="smallText" colspan="2"><?php echo '<a href="' . tep_href_link(FILENAME_PASSWORD_FORGOTTEN, '', 'SSL') . '">' . TEXT_PASSWORD_FORGOTTEN . '</a>'; ?></td>

</tr>

<tr>

<td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>

</tr>

<tr>

<td colspan="2"><table border="0" width="100%" cellspacing="0" cellpadding="2">

<tr>

<td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>

<td align="right"><?php echo tep_image_submit('button_login.gif', IMAGE_BUTTON_LOGIN); ?></td>

<td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>

</tr>

</table></td>

</tr>

</table></td>

</tr>

</table></td>

</tr>

</table></td>

</tr>

</table></form></td>

<!-- body_text_eof //-->

 

</tr>

</table>

<!-- body_eof //-->

 

<!-- footer //-->

<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>

<!-- footer_eof //-->

<br>

</body>

</html>

<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

Share this post


Link to post
Share on other sites
Guest

It will work when sessions are present. When cookies are going through there is no reason for the code to be active. Because the cookie is stored on the visitor's system.

 

So with sessions active, once you add some products to the cart and try to checkout it will cause the visitor to login. Now the login process will generate a new session with the existing products in the cart.

 

Also check that your links from the header, boxes etc. they all preserve the sessions. Meaning no hard-coded links because no matter what, the osc cart requires the sessions to be valid when you change pages and sessions are active.

 

I've tried it with the default osc. Regardless which page you're coming from it will always generate a new session during login and create account.

Share this post


Link to post
Share on other sites
It will work when sessions are present. When cookies are going through there is no reason for the code to be active. Because the cookie is stored on the visitor's system.

 

So with sessions active, once you add some products to the cart and try to checkout it will cause the visitor to login. Now the login process will generate a new session with the existing products in the cart.

 

Also check that your links from the header, boxes etc. they all preserve the sessions. Meaning no hard-coded links because no matter what, the osc cart requires the sessions to be valid when you change pages and sessions are active.

 

I've tried it with the default osc. Regardless which page you're coming from it will always generate a new session during login and create account.

 

 

Sorry it looks to be the "Ultimate SEO URLs contribution"

Share this post


Link to post
Share on other sites

In an effort to solve a problem with multiple customers using the same session I recently turned Recreate Sessions to True, removed a LoginBox contrib and installed this contribution. I'm now seeing some unusual cart behavior with customer who already have an account.

 

Without logging in, a customer adds any number of products to Cart -> Clicks 'Checkout' -> Logs in -> The contents of the cart are dropped. From this point, moving to any non-SSL page appears to log the customer out; the 'Log Off' link is removed. Additionally the cart contents returns to whatever it contained prior to logging in. The session id stays the same from ssl to non-ssl.

 

And for some reason if it's a first-time customer and he/she creates an account instead, the cart contents are maintained correctly and the customer can checkout. The problem only occurs when trying to use an existing account. Changing Recreate Session to False fixes this problem.

 

 

Both my configs are set to define('STORE_SESSIONS', 'mysql');

 

Admin/Config/Sessions are:

 

Session Directory /tmp

Force Cookie Use False

Check SSL Session ID False

Check User Agent False

Check IP Address False

Prevent Spider Sessions True

Recreate Session True (but False at the moment to avoid the problem)

 

Any help would be much appreciated.

Share this post


Link to post
Share on other sites
Guest
In an effort to solve a problem with multiple customers using the same session I recently turned Recreate Sessions to True, removed a LoginBox contrib and installed this contribution. I'm now seeing some unusual cart behavior with customer who already have an account.

 

Without logging in, a customer adds any number of products to Cart -> Clicks 'Checkout' -> Logs in -> The contents of the cart are dropped. From this point, moving to any non-SSL page appears to log the customer out; the 'Log Off' link is removed. Additionally the cart contents returns to whatever it contained prior to logging in. The session id stays the same from ssl to non-ssl.

 

And for some reason if it's a first-time customer and he/she creates an account instead, the cart contents are maintained correctly and the customer can checkout. The problem only occurs when trying to use an existing account. Changing Recreate Session to False fixes this problem.

Both my configs are set to define('STORE_SESSIONS', 'mysql');

 

Admin/Config/Sessions are:

 

Session Directory /tmp

Force Cookie Use False

Check SSL Session ID False

Check User Agent False

Check IP Address False

Prevent Spider Sessions True

Recreate Session True (but False at the moment to avoid the problem)

 

Any help would be much appreciated.

 

Few things I need to know

- PHP version in use?

- Do you have the Register Globals patch installed?

- Are you using a shared SSL or a dedicated one?

- And post your catalog\includes\functions\sessions.php

Share this post


Link to post
Share on other sites
Guest

and one other note. The links on your header do not maintain sessions. Make sure you fix those hard-coded links because that creates problems irrelevant to this contribution.

Share this post


Link to post
Share on other sites

Thank you the reply, here's the info. I've also removed the links from the header.

 

PHP Version 4.4.1

Register Globals patch isn't installed

Shared SSL

 

 

sessions.php:

 

<?php
/*
 $Id: sessions.php,v 1.19 2003/07/02 22:10:34 hpdl Exp $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce

 Released under the GNU General Public License
*/

 if (STORE_SESSIONS == 'mysql') {
if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
  $SESS_LIFE = 1440;
}

function _sess_open($save_path, $session_name) {
  return true;
}

function _sess_close() {
  return true;
}

function _sess_read($key) {
  $value_query = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($key) . "' and expiry > '" . time() . "'");
  $value = tep_db_fetch_array($value_query);

  if (isset($value['value'])) {
	return $value['value'];
  }

  return false;
}

function _sess_write($key, $val) {
  global $SESS_LIFE;

  $expiry = time() + $SESS_LIFE;
  $value = $val;

  $check_query = tep_db_query("select count(*) as total from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($key) . "'");
  $check = tep_db_fetch_array($check_query);

  if ($check['total'] > 0) {
	return tep_db_query("update " . TABLE_SESSIONS . " set expiry = '" . tep_db_input($expiry) . "', value = '" . tep_db_input($value) . "' where sesskey = '" . tep_db_input($key) . "'");
  } else {
	return tep_db_query("insert into " . TABLE_SESSIONS . " values ('" . tep_db_input($key) . "', '" . tep_db_input($expiry) . "', '" . tep_db_input($value) . "')");
  }
}

function _sess_destroy($key) {
  return tep_db_query("delete from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($key) . "'");
}

function _sess_gc($maxlifetime) {
  tep_db_query("delete from " . TABLE_SESSIONS . " where expiry < '" . time() . "'");

  return true;
}

session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
 }

 function tep_session_start() {
global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;

$sane_session_id = true;

if (isset($HTTP_GET_VARS[tep_session_name()])) {
  if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) {
	unset($HTTP_GET_VARS[tep_session_name()]);

	$sane_session_id = false;
  }
} elseif (isset($HTTP_POST_VARS[tep_session_name()])) {
  if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) {
	unset($HTTP_POST_VARS[tep_session_name()]);

	$sane_session_id = false;
  }
} elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) {
  if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) {
	$session_data = session_get_cookie_params();

	setcookie(tep_session_name(), '', time()-42000, $session_data['path'], $session_data['domain']);

	$sane_session_id = false;
  }
}

if ($sane_session_id == false) {
  tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));
}

return session_start();
 }

 function tep_session_register($variable) {
global $session_started;

if ($session_started == true) {
  return session_register($variable);
} else {
  return false;
}
 }

 function tep_session_is_registered($variable) {
return session_is_registered($variable);
 }

 function tep_session_unregister($variable) {
return session_unregister($variable);
 }

 function tep_session_id($sessid = '') {
if (!empty($sessid)) {
  return session_id($sessid);
} else {
  return session_id();
}
 }

 function tep_session_name($name = '') {
if (!empty($name)) {
  return session_name($name);
} else {
  return session_name();
}
 }

 function tep_session_close() {
if (PHP_VERSION >= '4.0.4') {
  return session_write_close();
} elseif (function_exists('session_close')) {
  return session_close();
}
 }

 function tep_session_destroy() {
return session_destroy();
 }

 function tep_session_save_path($path = '') {
if (!empty($path)) {
  return session_save_path($path);
} else {
  return session_save_path();
}
 }


//-MS- Add session regeneration

 function tep_session_regenerate() {

global $SID, $navigation;

if (PHP_VERSION > 4.3) {

  if (STORE_SESSIONS == 'mysql') {

	session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');

  }

  session_regenerate_id();

  // set SID once, even if empty

  $SID = (defined('SID') ? SID : '');



  $navigation->update_session();

  return true;

}

return false;

 }

//-MS- Add session regeneration EOM




 function tep_session_recreate() {
if (PHP_VERSION >= 4.1) {


//-MS- Add session regeneration

  if( SESSION_FORCE_COOKIE_USE != 'True' ) {

	if( tep_session_regenerate() )

	  return;

  }

//-MS- Add session regeneration EOM



  $session_backup = $_SESSION;

  unset($_COOKIE[tep_session_name()]);

  tep_session_destroy();

  if (STORE_SESSIONS == 'mysql') {
	session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
  }

  tep_session_start();

  $_SESSION = $session_backup;
  unset($session_backup);
}
 }
?>

Share this post


Link to post
Share on other sites
Guest

seems like the session regeneration is disabled on your store.

Share this post


Link to post
Share on other sites
seems like the session regeneration is disabled on your store.

Recreate Session has been set to False to avoid the problem. Or did you mean something else? Either way, I'll set it to true so you can see what's happending. Thanks for your help.

Share this post


Link to post
Share on other sites
Guest

ok, just tried it. The problem happens because of the session cookie in combination with the shared SSL. If you block all cookies with your browser you will not see the problem. There are a couple of things you could do.

 

Maintain a continuous secure connection for customers who are logged in. If you are ok with this change your catalog\includes\functions\html_output.php

 

Locate this code:

  function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true) {
global $request_type, $session_started, $SID;

 

right below it add this:

//-MS- Enforce secure connection for logged in customers
if( tep_session_is_registered('customer_id') ) {
  $connection = 'SSL';
}
//-MS- Enforce secure connection for logged in customers EOM

 

and try it. The result is that as long someone is logged in the secure connection will be active on all pages. Let me know if that works.

Share this post


Link to post
Share on other sites

Yes, with my cookies disabled it works great.

 

I inserted that code into catalog\includes\functions\html_output.php however it wasn't running because of the Ultimate SEO code (below). I disabled SEO and tried the site. The cart contents were maintained but I got alot of 'moving from secure to unsecure' EI prompts.

 

Can the SEO code be modified or is there another way to enable a continues secure connection? Also, are there any disadvantages to a continuous secure connection? Would getting a dedicated SSL help?

 

////
// Ultimate SEO URLs v2.1
// The HTML href link wrapper function
if (SEO_ENABLED == 'true') { //run chemo's code
 function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true) {
	global $seo_urls;
			if ( !is_object($seo_urls) ){
					if ( !class_exists('SEO_URL') ){
							include_once(DIR_WS_CLASSES . 'seo.class.php');
					}
					global $languages_id;
					$seo_urls = new SEO_URL($languages_id);
			}
	return $seo_urls->href_link($page, $parameters, $connection, $add_session_id);
 }
} else { //run original code
// The HTML href link wrapper function
 function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true) {
global $request_type, $session_started, $SID;


//-MS- Enforce secure connection for logged in customers
if( tep_session_is_registered('customer_id') ) {
  $connection = 'SSL';
}
//-MS- Enforce secure connection for logged in customers EOM

Share this post


Link to post
Share on other sites
Guest

if you put that code portion I mentioned earlier right after this in your function:

 

////
// Ultimate SEO URLs v2.1
// The HTML href link wrapper function
if (SEO_ENABLED == 'true') { //run chemo's code
 function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true) {
	global $seo_urls;

 

should not cause problems. Because you could have any script theoretically operate in SSL. Now note this will only be active for logged-in customers. So other visitors will see the regular HTML pages.

 

Ok right now for the images I use this part in the same function to get rid of the problem. I placed it right when the $link var is generated.

 

	$check_pages = array('vvc_display.php', 'popup_image.php');
if( in_array($page, $check_pages) && $request_type == 'SSL' ) {
  $link = HTTPS_SERVER . DIR_WS_HTTPS_CATALOG;
}

 

So if you're using thumbnails it should take care of that as long the script that is used to generate the thumbnails is included with the array. (if you need the proper location to place this code you may have to post the entire tep_href_link function although if you check the original osc file should be obvious where to set it).

 

Finally I did few other changes because my store also operates with a shared SSL. The problem is you have to maintain 2 separate cookies if the browser does not block them. One cookie for SSL the other for NONSSL. Now if you're a visitor you use the NONSSL you add items to the cart, then you click checkout. At this point with a shared server there is a transition to a different server. The secure one. So I have no way of sending another cookie to the browser to update the NONSSL end. As long as you maintain the secure connection till the customer logs-out you should be ok.

 

Try this lets see how it goes. Also backup your files when you do these mods.

Edited by enigma1

Share this post


Link to post
Share on other sites

With the code positioned as below I get 404s from all of the product and category links. Looks like the site is looking for html pages on the secure server and not finding them. Links look like "https://xxx.ipowerweb.com/xxx/catalog/swap-magic-c-81.html".

 

 

////
// Ultimate SEO URLs v2.1
// The HTML href link wrapper function
if (SEO_ENABLED == 'true') { //run chemo's code
 function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true) {
	global $seo_urls;

//-MS- Enforce secure connection for logged in customers
if( tep_session_is_registered('customer_id') ) {
  $connection = 'SSL';
}
//-MS- Enforce secure connection for logged in customers EOM

			if ( !is_object($seo_urls) ){
					if ( !class_exists('SEO_URL') ){
							include_once(DIR_WS_CLASSES . 'seo.class.php');
					}
					global $languages_id;
					$seo_urls = new SEO_URL($languages_id);
			}
	return $seo_urls->href_link($page, $parameters, $connection, $add_session_id);
 }

Share this post


Link to post
Share on other sites
Guest

something is missing from the url its the ~rev****** why is missing? Perhaps is the configure.php file if you have the secure server set with the path may explain it. Make sure in the configure.php you have the server/domain definitions with just that servers and domains and all paths go to the path definitions.

Share this post


Link to post
Share on other sites
something is missing from the url its the ~rev****** why is missing? Perhaps is the configure.php file if you have the secure server set with the path may explain it. Make sure in the configure.php you have the server/domain definitions with just that servers and domains and all paths go to the path definitions.

The server and account names are in the links and the paths appear to be correct, I just changed them to Xs for posting here. I believe the paths are set correctly in the both configure.php.

 

To clarify my last post, I only get 404s from all of the product and category links; anything SEO changes to html. Everything else, such as the information box links, shopping_cart, account, etc work and are in SSL.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×