baronmunchowsen Posted September 20, 2006 Share Posted September 20, 2006 I realise that my post may not be too useful. Here are further details of the way my store is configured: in configure.php: define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' in Configuration->Cache Use Cache: false Cache Directory: /tmp/ in Configuration->Sessions Session Directory: /tmp Force Cookie Use: False Check SSL Session ID: False Check User Agent: False Check IP Address: False Prevent Spider Sessions : True Recreate Session: False I'm on shared hosting and register_globals is on. PHP Version 4.4.2 Happy to provide further details. Also, the osCsid NEVER dissapears from my url string, no matter how many 'clicks'. I must say I'm surprised that no-one has offered a satisfactory fix to this. This kind of thing is really embarrasing to deal with when you have to call a customer and say 'I think our cart messed up'. Link to comment Share on other sites More sharing options...
msrichard Posted September 20, 2006 Share Posted September 20, 2006 Hi, I had the problem of customer records getting mixed up. I?ve pretty much concluded it was because a session id was in a link to my site on someone else?s site that a customer was using to tell others about one of my products. To avoid this happening again, I want to remove the session id from my url when possible. From what I read on the forums, the session id should be gone after a couple of clicks if cookies are enabled in the customers browser. I have cookies enabled in my browser and I am still getting the session id in the url. They do not disappear after a few clicks. I have searched the forums and the best I can tell is there is something wrong with my cookie settings in the configure file. Below are my settings. If anyone sees a problem below or if they know of something else I must do please let me know. I am using shared SSL My includes/configure.php file: define('HTTP_SERVER', 'http://www.frameknitting.com'); define('HTTPS_SERVER', 'https://frameknitting.com'); define('ENABLE_SSL', true); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'www.frameknitting.com'); define('HTTPS_COOKIE_DOMAIN', 'frameknitting.com'); define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/'); define('DIR_WS_HTTP_CATALOG', '/'); define('DIR_WS_HTTPS_CATALOG', '/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/'); define('DIR_FS_CATALOG', dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME'])); define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/'); define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/'); Both of my configure files have: define('STORE_SESSIONS', 'mysql'); SESSION SETTINGS session directory /tmp force cookie use false check ssl session id false check user agent false check IP address false prevent spider sessions true recreate session false Thanks, Marla Link to comment Share on other sites More sharing options...
baronmunchowsen Posted September 20, 2006 Share Posted September 20, 2006 I just heard from my client in regard to the jumbled up addresses. They have let me know that no link has been given out to the site with an osCid variable in the hyperlink, such as: catalog/index.php?cPath=22&osCsid=c97d045b48d2c572e03948637feb9d7b So it would seem that jumbled up addresses are not a result of multiple users using a link with a session id in it??? Link to comment Share on other sites More sharing options...
dittones Posted September 20, 2006 Share Posted September 20, 2006 Baron... Do you have cacheing on and using shared server...If you have it turned on may try turnning it off see if that corrects problem.. Good luck Roman Link to comment Share on other sites More sharing options...
baronmunchowsen Posted September 20, 2006 Share Posted September 20, 2006 Baron... Do you have cacheing on and using shared server...If you have it turned on may try turnning it off see if that corrects problem.. Good luck Roman Hi Roman, Thanks. I am on a shared server. I have always had the following settings in Configuration->Cache Use Cache false Cache Directory /tmp/ Are these the cache settings you refer too? Thanks Link to comment Share on other sites More sharing options...
dittones Posted September 20, 2006 Share Posted September 20, 2006 Baron... Yes... define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/'); define('DIR_WS_HTTP_CATALOG', '/'); define('DIR_WS_HTTPS_CATALOG', '/'); I have my setting as such.... define('HTTP_COOKIE_PATH', '/storname/'); define('HTTPS_COOKIE_PATH', ''/storname/'); define('DIR_WS_HTTP_CATALOG', ''/storname/'); define('DIR_WS_HTTPS_CATALOG', ''/storname/'); Where storename is the dir name that I have my oscommerce files... Roman Link to comment Share on other sites More sharing options...
baronmunchowsen Posted September 20, 2006 Share Posted September 20, 2006 Baron... Yes... define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/'); define('DIR_WS_HTTP_CATALOG', '/'); define('DIR_WS_HTTPS_CATALOG', '/'); I have my setting as such.... define('HTTP_COOKIE_PATH', '/storname/'); define('HTTPS_COOKIE_PATH', ''/storname/'); define('DIR_WS_HTTP_CATALOG', ''/storname/'); define('DIR_WS_HTTPS_CATALOG', ''/storname/'); Where storename is the dir name that I have my oscommerce files... Roman To clarify: if my store is www.mystore.com/catalog the values should be: define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', '/catalog/'); define('DIR_WS_HTTP_CATALOG', '/catalog/'); define('DIR_WS_HTTPS_CATALOG', '/catalog/'); in the configure file and the cache settings in the admin should stay the same as they are ? Thanks Link to comment Share on other sites More sharing options...
dittones Posted September 20, 2006 Share Posted September 20, 2006 Baron... Yes... I have renamed catalog to my store name...cleaner...Good for SE. Roman Link to comment Share on other sites More sharing options...
baronmunchowsen Posted September 20, 2006 Share Posted September 20, 2006 Baron...Yes... I have renamed catalog to my store name...cleaner...Good for SE. Roman catalog/includes/configure.php changed to: define('HTTP_COOKIE_DOMAIN', '/catalog/'); define('HTTPS_COOKIE_DOMAIN', '/catalog/'); define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', '/catalog/'); osCid still stays there after many many clicks. Any further suggestions for how to remove osCid strings (which will then hopefully remedy the problem of the mismatching customer addresses). Thanks, Link to comment Share on other sites More sharing options...
baronmunchowsen Posted September 20, 2006 Share Posted September 20, 2006 catalog/includes/configure.php changed to: define('HTTP_COOKIE_DOMAIN', '/catalog/'); define('HTTPS_COOKIE_DOMAIN', '/catalog/'); define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', '/catalog/'); osCid still stays there after many many clicks. Any further suggestions for how to remove osCid strings (which will then hopefully remedy the problem of the mismatching customer addresses). Thanks, For anyone else out there, this is how to do it: define('HTTP_COOKIE_DOMAIN', 'www.mysite.com'); define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com'); define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', '/catalog/'); NOw time will tell if the jumbled-orders problem will raise it's ugly head. Link to comment Share on other sites More sharing options...
♥Monika in Germany Posted September 20, 2006 Share Posted September 20, 2006 Marla, I suggest the following setting for a shared server: define('HTTP_COOKIE_DOMAIN', '.frameknitting.com'); define('HTTPS_COOKIE_DOMAIN', '.frameknitting.com'); :-) Monika addicted to writing code ... can't get enough of databases either, LOL! my toolbox: Textpad - Compare and Merge - phpMyAdmin - WS_FTP - Photoshop - How to search the forum Interactive Media Award July 2007 ~ category E-Commerce my advice on the forum is for free, PMs where you send me work are considered consultation which I charge for ... Link to comment Share on other sites More sharing options...
boxtel Posted September 20, 2006 Share Posted September 20, 2006 catalog/includes/configure.php changed to: define('HTTP_COOKIE_DOMAIN', '/catalog/'); define('HTTPS_COOKIE_DOMAIN', '/catalog/'); define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', '/catalog/'); osCid still stays there after many many clicks. Any further suggestions for how to remove osCid strings (which will then hopefully remedy the problem of the mismatching customer addresses). Thanks, whether the session id is stored in a cookie or attached to the url is of no consequence. Treasurer MFC Link to comment Share on other sites More sharing options...
boxtel Posted September 20, 2006 Share Posted September 20, 2006 whether the session id is stored in a cookie or attached to the url is of no consequence. to explain: if you go to a site with : www.domain.com/?osCsid=rod3d123saoupn0oejktubiig3 then even if that session no longer exists on your system, files or database, that session id is created and used by osc. Basically, you get the session id you ask for. So if you have a link like that circulating in emails or websites or se indexes, the first who clicks it will re-create that session and the next will share it. But whether that session id is subsequently stored in a cookie and dissapears from the url or if it remains attached because cookies are not set is of little consolation as it only pertains to where it is stored and not what it contains. The only way to prevent this from happening is, if a session id is attached to the url, check if that session is active on your system. This by either checking if the session file exists (file based sessions) or if an entry in the session table exists (mysql based sessions) for that id. If it does, proceed, if it does not, disregard the attached session id and force a new one. Treasurer MFC Link to comment Share on other sites More sharing options...
msrichard Posted September 20, 2006 Share Posted September 20, 2006 Marla, I suggest the following setting for a shared server: define('HTTP_COOKIE_DOMAIN', '.frameknitting.com'); define('HTTPS_COOKIE_DOMAIN', '.frameknitting.com'); Monika, I tried your suggestion. It did get rid of the session id, except when checking out. However, it created 2 problems. 1) Whatever I had in the cart was lost when signing in for checkout. 2) If the customer switched back to a nonsecure area after signing in they lost what was in their cart and would have to sign in again to check out. Any other suggestions? Thanks, Marla Link to comment Share on other sites More sharing options...
♥Monika in Germany Posted September 20, 2006 Share Posted September 20, 2006 Monika, I tried your suggestion. It did get rid of the session id, except when checking out. However, it created 2 problems. 1) Whatever I had in the cart was lost when signing in for checkout. 2) If the customer switched back to a nonsecure area after signing in they lost what was in their cart and would have to sign in again to check out. Any other suggestions? Thanks, Marla hmmmmm ... I use this in all my shops. Can you post your session settings from admin->configuration? :-) Monika addicted to writing code ... can't get enough of databases either, LOL! my toolbox: Textpad - Compare and Merge - phpMyAdmin - WS_FTP - Photoshop - How to search the forum Interactive Media Award July 2007 ~ category E-Commerce my advice on the forum is for free, PMs where you send me work are considered consultation which I charge for ... Link to comment Share on other sites More sharing options...
msrichard Posted September 20, 2006 Share Posted September 20, 2006 hmmmmm ... I use this in all my shops. Can you post your session settings from admin->configuration? Monika, Here are my SESSION SETTINGS session directory /tmp force cookie use false check ssl session id false check user agent false check IP address false prevent spider sessions true recreate session false Marla Link to comment Share on other sites More sharing options...
msrichard Posted September 20, 2006 Share Posted September 20, 2006 hmmmmm ... I use this in all my shops. Can you post your session settings from admin->configuration? Monika, Also here are my cache settings: Use Cache false Cache Directory /tmp/ Marla Link to comment Share on other sites More sharing options...
♥Monika in Germany Posted September 20, 2006 Share Posted September 20, 2006 Monika, Also here are my cache settings: Use Cache false Cache Directory /tmp/ Marla both of those look fine. looked at your store though, the info you gave me for the configure.php is obviously incorrect - for SSL. I cannot help that way. Shared SSL for hostexcellence needs completely different treatment. :-) Monika addicted to writing code ... can't get enough of databases either, LOL! my toolbox: Textpad - Compare and Merge - phpMyAdmin - WS_FTP - Photoshop - How to search the forum Interactive Media Award July 2007 ~ category E-Commerce my advice on the forum is for free, PMs where you send me work are considered consultation which I charge for ... Link to comment Share on other sites More sharing options...
optic Posted October 6, 2006 Share Posted October 6, 2006 you would think this would be resolved quickly by the OSC team. where is this patch that I am reading about? many of my customers expressed concerned that their personal information was accessible by other customers, whether intentional or an error with OSC is besides the point. They don't want to hear our excuse on the problem, they want to know that their personal information is secure and only the store owner can access. Not by someone who posted up a some link which happened to include the session ID. That is a serious breach of security, and one that should have been corrected immediately. - O Link to comment Share on other sites More sharing options...
exbabylon Posted October 23, 2006 Share Posted October 23, 2006 Still having this problem!! Do we have any idea what's going on here? Link to comment Share on other sites More sharing options...
exbabylon Posted October 23, 2006 Share Posted October 23, 2006 I've been doing some further research and have example orders which are getting mixed up if an expert could make use of them to get things fixed. I cannot post them on the open board due to privacy issues. Even if I can pay someone to resolve this issue, I am willing to do so. So please, if anyone has had this problem, got it resolved, or know someone do did/does/or might be able to get it resolved please send them my way. My cell number is: 509.671.0439 the office number is: 509.447.0440 my email address is [email protected]. Thank you, Alex Stanton Project Director Exbabylon IT Solutions Link to comment Share on other sites More sharing options...
Guest Posted October 23, 2006 Share Posted October 23, 2006 One thing I've seen, that doesn't appear to have been mentioned here, is that I've had occasional (perphaps session related) address book entries from user2 overwrite the address book database record for user1. In other words, if you find user1's customer_id, then look up the address_book entry entry for that same customer_id. You might find it's the wrong person. I've manually fixed them in the database a few times - - haven't tracked down the root cause of that particular problem. -jared Link to comment Share on other sites More sharing options...
exbabylon Posted October 25, 2006 Share Posted October 25, 2006 We're getting an increase in merged order as the days go on, and I'm desperate to figure this out. I have exhausted my resources and ability in this matter, and need help. Please, if anyone knows what's going on with this and is willing to fix it, I AM WILLING TO PAY WELL. Thank you, Alex Stanton Link to comment Share on other sites More sharing options...
solutionbuilt Posted December 28, 2006 Share Posted December 28, 2006 Frustratingly I have begun my own personal search to resolve this issue. However, my attempts have been unsuccessful until now. osC uses the classes->sessions.php to manage all sessions. Based on what was mentioned before, I thought it would be great if the sessions.php file would check to see if the user was being sent by an external site and therefore create a unique session for them. Soon I began scouring through sessions.php and discovered that the file already has this function built into it! However, this check is based on the referer_check variable. Which, on line 21, I discover is set to false!! There's no admin switch for this and it comes disabled by default. :blink: :angry: Change this: [21] var $referer_check = false; To this: [21] var $referer_check = true; Needless to mention, this is very agitating. Especially since one of my clients is now experiencing this issue. I'm presuming an external link is now widely available and is now causing problems with the checkout process. Refer to the following found in session.php: [393]// Check whether the current request was referred to by [394]// an external site which invalidates the previously found ID [395] if ( (!empty($session->id)) && ($session->referer_check) ) { [396] $url = parse_url($GLOBALS['HTTP_REFERER']); [397] if (trim($url['host']) != $GLOBALS['SERVER_NAME']) { [398] unset($session->id); [399] $send_cookie = true; [400] $define_sid = true; [401] } [402] } [403] [404]// Do we have an existing session ID? [405] if (empty($session->id)) { [406]// Create new session ID [407] $session->id = _session_create_id(); [408] } As you can notice, line 395 - 402 will not occur if the $session->referer_check is set to false. *sigh* :blink: Link to comment Share on other sites More sharing options...
MSP Posted December 29, 2006 Share Posted December 29, 2006 interesting find. i'll make these changes and report back in the future. thanks Jesse Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.