Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Remove osCommerce Session ID without Forcing Cookie Use


Vger

Recommended Posts

Experienced users will know that osCommerce, even without 'Force Cookie Use' will stop displaying the osCommerce session id within one or two clicks of landing on a website - but this period is enough time for a Search Engine to generate a session id, unless it is listed in includes/spiders.txt and 'Prevent Spider Sessions' is set to 'true' in osCommerce admin.

 

This tip is a workaround for that. Unfortunately, like Force Cookie Use it won't work with a shared ssl - which would have yielded the greatest benefits to people. However, it has been tested online and offline on the latest version of osCommerce using no SSL and full SSL.

 

Agh! But experienced users will say "If we use no SSL or full SSL then we can turn on Force Cookie Use and get rid of the session id that way - so what use is this?". The answer is that not everyone will want to turn on Force Cookie Use because it will cost them a few customers here and there.

 

Okay, that's the reasoning, so what's the fix?

 

If your site is hosted on an Apache server with Mod Rewrite enabled you should be able to install Chemo's "Ultimate SEO URL's" contribution. With one minor edit, to one file, this will allow you to remove the session id from the address bar.

 

In the modification for Ultimate SEO URL's to includes/functions/html_output.php you'll find this piece of code:

$add_session_id = true

and you change it to:

$add_session_id = false

 

The session id does appear in the sessions table in the database, but not in the page address.

 

Remember, if tempted to use this.

 

1. It doesn't work with shared SSL!

2. It doesn't work on Windows servers (because Ultimate SEO URL's doesn't work on Windows servers)

3. Apache servers must have Mod Rewrite enabled

4. You must, of course, install Ultimate SEO URL's, with the minor code alteration

 

Vger

Link to comment
Share on other sites

  • 2 weeks later...

Hi Vger,

I just installed Ultimate SEO urls v21da and get this message when I go to my store:

Fatal error: Call to a member function on a non-object in /var/www/html/includes/header.php on line 14

 

Any thoughts.

 

Thanks

Link to comment
Share on other sites

Hi Again,

Another problem: when in Admin, after clicking on "Categories: I get this message--

 

1054 - Unknown column 'cd.categories_seo_url' in 'field list'

 

select c.categories_id, cd.categories_name, cd.categories_seo_url, c.categories_image, c.parent_id, c.sort_order, c.date_added, c.last_modified from categories c, categories_description cd where c.parent_id = '0' and c.categories_id = cd.categories_id and cd.language_id = '1' order by c.sort_order, cd.categories_name

 

 

I forgot to mention that I have STSv4.3.3 on a new install of osc 2.2MS2

 

Thank You

Link to comment
Share on other sites

Sorry, I didnt see your last post before I posted again. I am on Apache + MOD with a full SSL. I suspect I need to make some additions to the SQL Database?

 

Hope you had a nice Holiday.

Link to comment
Share on other sites

I went in to Admin>Configurations and SEO URLs in there. There are alot of settings set already. The only change I made was enableing the cPath from False to True. So that Im not bothering you, do you know of a support thread where no doubt these questions have already been addressed?

 

Marion

Link to comment
Share on other sites

Ultimate SEO URL's installs itself as soon as the site is launched following the install. However, it rewrites 'on the fly' so makes no change to the database and for this reason you shouldn't be getting the error you are getting. Back to my earlier point - it looks as though you haven't installed it correctly.

 

Unfortunately the person who wrote this great contribution is banned from the forums. There may be an official support thread for it but as to who would be responsible now for answering questions on it I don't know.

 

Vger

Link to comment
Share on other sites

Im considering un-installing it. But first I will post a topic to see if I can get some advice concerning the header.php error. Since I overwrote some files, I wonder if I have to un-install all of osc?

 

Please No

Link to comment
Share on other sites

Vger, search engines have definitely picked up my osCid and I'd like to get rid of it. However, I don't really understand what this mod does. I see from the code that the session id will no longer be appended to the $link (url) but what are the implications of this? How does the session id get properly carried forward for users if this is turned off?

 

Thanks!

Link to comment
Share on other sites

Vger, search engines have definitely picked up my osCid and I'd like to get rid of it. However, I don't really understand what this mod does. I see from the code that the session id will no longer be appended to the $link (url) but what are the implications of this? How does the session id get properly carried forward for users if this is turned off?

 

Sorry, just to add to this. I disabled cookies and set all instances of $add_session_id to false and then oscommerce stops working. You can't add products to the shopping cart anymore. Did I do something wrong, or is this just a mod to force the use of cookies?

Link to comment
Share on other sites

Sorry - I made a mistake. I thought this mod just removed the session id from the address bar - but what it is actually doing is removing it completely and so forcing cookie use via another method.

 

Back to the drawing board!

 

Vger

Link to comment
Share on other sites

Vger, search engines have definitely picked up my osCid and I'd like to get rid of it. However, I don't really understand what this mod does. I see from the code that the session id will no longer be appended to the $link (url) but what are the implications of this? How does the session id get properly carried forward for users if this is turned off?

 

Thanks!

How to remove session ID appended URLs from the search engine index

Link to comment
Share on other sites

  • 9 months later...
Sorry - I made a mistake. I thought this mod just removed the session id from the address bar - but what it is actually doing is removing it completely and so forcing cookie use via another method.

 

Back to the drawing board!

 

Vger

 

Rhea

 

Have you managed to come up with a solution , I have ultimate seo url's installed, but need to get rid of the oscsid.

Link to comment
Share on other sites

  • 2 months later...
  • 5 months later...

Hi guys.

 

I found something that seemed to work perfectly for me, and now I don't see the oscID unless cookies are disabled in my browser.

Here is the post I found that helped me out:

Right guys,

 

Not 100% up to speed on this yet but after reaching 99% I did do a couple of celebratory laps of the sitting room!! Yes, the sitting room is where I get most of the proper work done - I spent all day at the shop just sorting out orders, replying to probably dead end e-mails and the rest of the standard shop work!! How I am ever going to compete with Amazon I will never know!

 

Still the major breakthrough has been made, only one potential problem left which I will mention at the end.

 

Ok, Sessions.....

 

It would appear to me that a very large number of users do not have OScommerce configured correctly (Including myself). I assumed that every user was issued a (visible) session ID. All the OScommerce sites I had visited, and that is a lot of sites since I have been working on mine, have issued me with a session ID in the URL. Now, this does not need to happen so long as cookies are enabled on the users browser. The 2.2 ms version of OScommerce (dont know about previous versions) is very clever.... Once a new customer visits your site, OSc will try to reply to the customer with cookies enabled, if it does not recieve the response it wants, ie cookies are disabled, then and only then will it assign the user a session ID.

 

This make sense so far? It took me some bl**dy working out.

 

Now, knowing that generally speaking sessions are a bad idea security wise for your site/customers (they are open to abuse if another user can access the same open session), OSc will use cookies when it can. You know it is using cookies when the URL does not contain a reet big long OSCid number.

 

So, what are the correct settings for your config file, I hear you ask!

 

Well, mine is now,

 

define('HTTP_SERVER', 'http://www.mydomain.co.uk'); // eg, <http://localhost> - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.mydomain.co.uk'); // eg, <https://localhost> - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'mydomain.co.uk');

define('HTTPS_COOKIE_DOMAIN', 'mydomain.co.uk');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

 

And all appears well. I would say things get a little more confusing if you are on a shared SSL but if anyones interested I could probably find and post the answers here later (when I get a spare five minutes!)

 

OK, so to summarise so far, if, in your admin you have FORCE COOKIE USE set to FALSE, any users with cookies enabled should see a nice short URL and if the customer has cookies disabled they will see a chuffing great long URL with a session id tagged on the end.

 

So going back to my original post about how to set up the SESSIONS in admin, I guess its better to not set FORCE COOKIE USE to true, as this will certainly prevent AOL users, amongst others from accessing your shop (Cheers Rhea for that pointer).

 

Everything I have read indicates that PREVENT SPIDER SESSIONS must be set to TRUE as a matter of security.

 

As far as the rest of the settings go, not sure yet!! Will try and do a bit more reading.

 

If I am going over old ground for you experienced hands, please put me out of my misery and save me a bit of time by letting me know the best set up!

 

 

Right, after creating the worlds longest post tonight I think I am going to clear off to bed - The only thing left to explain is why I have not implemented these new settings on my site. Well, it all boils down to my old friend the HSBC secure e-payments!! I have hard coded (I think thats the correct techie term) a session id into the return post from the HSBC site, Doh!! It was the only way I could get it working at the time. Now, how this is going to be affected by using cookies I am not quite sure and am certainly not prepared to think about or try to change after a half a bottle of Johnny Walker - Thats a job for another day (when I get another spare five minutes).

 

Cheers for now.

Richard.

 

Regards

 

Itai

Link to comment
Share on other sites

  • 4 weeks later...
Experienced users will know that osCommerce, even without 'Force Cookie Use' will stop displaying the osCommerce session id within one or two clicks of landing on a website - but this period is enough time for a Search Engine to generate a session id, unless it is listed in includes/spiders.txt and 'Prevent Spider Sessions' is set to 'true' in osCommerce admin.

 

This tip is a workaround for that. Unfortunately, like Force Cookie Use it won't work with a shared ssl - which would have yielded the greatest benefits to people. However, it has been tested online and offline on the latest version of osCommerce using no SSL and full SSL.

 

Agh! But experienced users will say "If we use no SSL or full SSL then we can turn on Force Cookie Use and get rid of the session id that way - so what use is this?". The answer is that not everyone will want to turn on Force Cookie Use because it will cost them a few customers here and there.

 

Okay, that's the reasoning, so what's the fix?

 

If your site is hosted on an Apache server with Mod Rewrite enabled you should be able to install Chemo's "Ultimate SEO URL's" contribution. With one minor edit, to one file, this will allow you to remove the session id from the address bar.

 

In the modification for Ultimate SEO URL's to includes/functions/html_output.php you'll find this piece of code:

$add_session_id = true

and you change it to:

$add_session_id = false

 

The session id does appear in the sessions table in the database, but not in the page address.

 

Remember, if tempted to use this.

 

1. It doesn't work with shared SSL!

2. It doesn't work on Windows servers (because Ultimate SEO URL's doesn't work on Windows servers)

3. Apache servers must have Mod Rewrite enabled

4. You must, of course, install Ultimate SEO URL's, with the minor code alteration

 

Vger

 

 

 

 

 

 

hello Vger,

i have change osCsid but there is problem is that the PHPSESSSID is appear on url.so if you have idea about it please send me early.thanks.

Link to comment
Share on other sites

  • 2 weeks later...

Hi Vger, I noticed sometimes conditions.php is still showing a sesion id

 

conditions.php?osCsid=c8scnaatceka50og6qvvu0aic3

Link to comment
Share on other sites

This is from the author:

 

Sorry - I made a mistake. I thought this mod just removed the session id from the address bar - but what it is actually doing is removing it completely and so forcing cookie use via another method.

 

Back to the drawing board!

 

Vger

 

 

 

So its a far better solution to just go into your shop admin and under configuration >> sessions simply set force cookies to true

Link to comment
Share on other sites

  • 8 months later...

 

Although clever this does not work with SEO URLs, it just creates a standard link creating duplicates in google's catalog...

Most Valuable OsCommerce Contributions:

Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294

FedEx Automated Labels -- Contribution 2244

RMA Returns system -- Contribution 1136

Sort Products By Dropdown -- Contribution 4312

Ultimate SEO URLs -- Contribution 2823

Credit Class & Gift Voucher -- Contribution 282

Cross-Sell -- Contribution 5347

Link to comment
Share on other sites

  • 4 weeks later...
Although clever this does not work with SEO URLs, it just creates a standard link creating duplicates in google's catalog...

 

So what solution should be used with ULTIMATE SEO???

 

ImI

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...