Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[Contribution] Googlebot/Spider session id killer


Ian

Recommended Posts

However, I have discovered a problem with this code in html_output.php:

 

if ($HTTP_GET_VARS['language'] && $kill_sid) {

if (tep_not_null($parameters)) {

$parameters = ereg_replace("[&]language=[a-z][a-z]", "", $parameters);

}

if (tep_not_null($parameters)) {

$parameters .= "&language=" . $HTTP_GET_VARS['language'];

} else {

$parameters = "language=" . $HTTP_GET_VARS['language'];

}

}

 

Rather than just replacing the language/en it is adding the new language string e.g. it becomes: language/ja/language/en in the second if.

 

I think the second if should test for $HTTP_GET_VARS['language'] not $parameters??

Ian-san

Flawlessnet

Link to comment
Share on other sites

  • Replies 191
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

ian-san,

 

No the problem is the ereg_replace, this is supposed to remove previous language from url. However I forgot to take account of SEFU's so the ereg_replace fails.

 

Will update.

Trust me, I'm an Accountant.

Link to comment
Share on other sites

Can you guys who say everything is working fine with no problems confirm for me that you can go into your store on the index (default) page from a clean browser, immediately go to login with nothing in the shopping cart and successfully login rather than being sent back to the index page, still not logged in.

 

Thanks :)

... if you want to REALLY see something that doesn't set up right out of the box without some tweaking,

try being a Foster Parent!

Link to comment
Share on other sites

Can you guys who say everything is working fine with no problems confirm for me that you can go into your store on the index (default) page from a clean browser, immediately go to login with nothing in the shopping cart and successfully login rather than being sent back to the index page, still not logged in.

 

Thanks :)

 

Yes - it works for me. I am using SEFU plus storing sesions in MySQL.

Ian-san

Flawlessnet

Link to comment
Share on other sites

mugitty,

 

Yes, I am also able to do that with the SID killer installed.

 

I am not able however, to login, go to a product, click reviews, and click wrote a review. It immediatly logs me out, and dumps me back out at the default.php.

 

Similar symptoms, I think.

 

Sadly, I am disabling this SID and going back to the USER_AGENT solution until we can get this sorted out.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Can you guys who say everything is working fine with no problems confirm for me that you can go into your store on the index (default) page from a clean browser' date=' immediately go to login [u']with nothing in the shopping cart[/u] and successfully login rather than being sent back to the index page, still not logged in.

 

Thanks :)

 

Your not alone mugitty, I have the same issue with sid killer. This is the one problem I want resolved bad enough to actually post and put my 2 cents worth in. I only use the english language on my cart, all other languages have been removed through the admin tool and I only use USD currency all other currencies have also been removed through the admin tool. I've tried the latest mod plus whatever else I could find in the forums either in the form of additional coding or replacing certain lines of code ( I think I've tried it all). My last attempt was to install a totally clean install of the latest snapshot, the only mofiications I made were: added my secure server address, configured the cart to my preference... language, currency and so on, created a test account to login with and at last installed the sid killer addon. Still kicks me back to the index.php/default.php page when I try to login right when the page is first accessed. Login is successful if I go to the cart first added an item and start the checkout process. I've installed two new clean snapshots today so if anyone has any suggestions on what maybe to try next let me know. Thanks everyone

Link to comment
Share on other sites

OK, I've gotten a little further with this not being able to log in thing. There seems to be something with the EXACT address to which I'm directing the browser. In all cases I am talking about a situation where SIDKiller is installed, there is nothing in the shopping cart and I am going directly to login on my first click from the index page:

 

1: If I go to http://farmex.now.tc/catalog/index.php , I cannot log in.

 

2: If I go to http://farmex.now.tc/catalog , the browser resolves to http://www.farmex.now.tc/catalog/ and I can log in just fine.

 

3: If I go to http://farmex.now.tc/catalog/ , the browser resolves to the same exact address and I cannot log in.

 

4: If I go to http://www.farmex.now.tc/catalog , the browser resolves to the same with a trailing slash added after 'catalog', and I can log in.

 

5: If I go to http://www.farmex.now.tc/catalog/index.php , the browser resolves to the same exact address and I can log in.

 

If I change my configure.php from

define('HTTP_SERVER', 'http://farmex.now.tc')

to

define('HTTP_SERVER', 'http://www.farmex.now.tc')

then I am unable to log in under any of the above conditions.

 

My https is on a different server from my http and presently looks like this:

define('HTTPS_SERVER', 'https://secure14.vosn.net/~farmex');

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

Does any of this give anyone an idea of why I am encountering this?

 

Heartfelt thanks to anyone who can help!

... if you want to REALLY see something that doesn't set up right out of the box without some tweaking,

try being a Foster Parent!

Link to comment
Share on other sites

Just found another quirk.

 

Although I am able to login, If I go to my address book, and try to add a new address, it will log me out, and dump me out to the default.php.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

I have a pre-November snapshot as well.

 

The only thing I can think of that I have changed, is that I have altered the "NONSSL" and changed them to "SSL" in several places. I've done this because after a customer logs in, I wish for them to stay on SSL until they leave the site, in order to aviod the "you are about to leave a secure page" warnings.

 

However, if I comment out the SID killer in app top, It doesn't automatically log me out in the instances I described above. So, I have to conclude that the SID killer is conjunction with the changed SSL settings has caused the problems.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

I'm back to the one little section of SIDKiller code below. If I comment it out and use the original code in this section, I can log in under ALL of the conditions mentioned in my previous post, whether my http server is defined as 'http://farmex.now.tc' or as 'http://www.farmex.now.tc'. The problem of course being that this seems to be the only part of the SIDKiller code that prevents the search engines from displaying SIDs when they look at links.

// Add the session ID when moving from HTTP and HTTPS servers or when SID is defined

   if ( (ENABLE_SSL == true ) && ($connection == 'SSL') && ($add_session_id == true) ) {

     $sid = tep_session_name() . '=' . tep_session_id();

   } elseif ( ($add_session_id == true) && (tep_not_null(SID)) ) {

     $sid = SID;

   }



   if ( (SEARCH_ENGINE_FRIENDLY_URLS == 'true') && ($search_engine_safe == true) ) {

     while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);



     $link = str_replace('?', '/', $link);

     $link = str_replace('&', '/', $link);

     $link = str_replace('=', '/', $link);



     $separator = '?';

   }



   if (isset($sid)) {

     $link .= $separator . $sid;

   }



// BEGIN SIDKiller code - uncomment above if not using SIDKiller code

//    if (isset($sid) && (!$kill_sid)) {

//      $link .= $separator . $sid;

//    }

// END SIDKiller code



   return $link;

 }

Am I missing something, or does this indicate that this effect is caused by just this one section of the SIDKiller code?

... if you want to REALLY see something that doesn't set up right out of the box without some tweaking,

try being a Foster Parent!

Link to comment
Share on other sites

Am I missing something, or does this indicate that this effect is caused by just this one section of the SIDKiller code?

 

That just puts the sids back in your url I think - ie it is like not having the sid killer there at all.

Ian-san

Flawlessnet

Link to comment
Share on other sites

Stuart,

 

The reason why commenting out that part of the code fixes things is that that line decides whether to append the sid to a link.

 

The problem is not with this line of code but with how $kill_sid is set in other parts of my code.

 

I'd like to poll people on various settings.

 

A) How they are storing sessions (mysql or file)

B) Whether your SSL is on a different domain name.

 

I also have a suggestion to try.

 

// Add the session ID when moving from HTTP and HTTPS servers or when SID is defined

   if ( (ENABLE_SSL == true ) && ($connection == 'SSL') && ($add_session_id == true) ) {

     $sid = tep_session_name() . '=' . tep_session_id();

Straight after that last line add

 

 

 

$kill_sid = false;

Trust me, I'm an Accountant.

Link to comment
Share on other sites

Ian,

 

A.) MySQL

B.) SSL Different Domain

 

It definatly kills SIDs, but it seems to log you out when switching from SSL to NONSSL.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Ian;

 

The change that you mentioned above just seems to do the same as if I had commented the code that I mentioned before. With that section of html_output looking like this:

// Add the session ID when moving from HTTP and HTTPS servers or when SID is defined

   if ( (ENABLE_SSL == true ) && ($connection == 'SSL') && ($add_session_id == true) ) {

     $sid = tep_session_name() . '=' . tep_session_id();

 $kill_sid = false;

   } elseif ( ($add_session_id == true) && (tep_not_null(SID)) ) {

     $sid = SID;

   }



   if ( (SEARCH_ENGINE_FRIENDLY_URLS == 'true') && ($search_engine_safe == true) ) {

     while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);



     $link = str_replace('?', '/', $link);

     $link = str_replace('&', '/', $link);

     $link = str_replace('=', '/', $link);



     $separator = '?';

   }



//    if (isset($sid)) {

//      $link .= $separator . $sid;

//    }



// BEGIN SIDKiller code - uncomment above if not using SIDKiller code

   if (isset($sid) && (!$kill_sid)) {

     $link .= $separator . $sid;

   }

// END SIDKiller code



   return $link;

 }

I am able to login under any address that I enter, but the SIDs are showing up in the search engine simulator again :(

 

Storing sessions in mysql

SSL on different server

... if you want to REALLY see something that doesn't set up right out of the box without some tweaking,

try being a Foster Parent!

Link to comment
Share on other sites

Ok,

 

I think the adjustment I gave muggity won't work.

 

The problem seems to be when moving from ssl to nonssl on systems where the ssl domain is different from the nonssl domain.

 

I must admit to not being 100% sure how internally the domain checking works. I would have thought that if you were having problems going from ssl->nonssl you would also have problems going from nonssl->ssl

 

I'll put together some code to retain sids on ssl->non ssl transfers and see if this helps.

 

When I first wrote this code I thought ok there's less than 10 lines of code, what could possibly go wrong. :oops:

Trust me, I'm an Accountant.

Link to comment
Share on other sites

Ian;

 

I already owe you a half dozen pints for all the time and effort you've put into this - I sincerely appreciate it!

When I first wrote this code I thought ok there's less than 10 lines of code, what could possibly go wrong.

My old Grandpa used to say "If something can go wrong, it will" (well, OK, maybe it wasn't my Grandpa and maybe that's not exactly what was said, but it was something like that).

 

Let's just call it Murphy's Law :wink:

... if you want to REALLY see something that doesn't set up right out of the box without some tweaking,

try being a Foster Parent!

Link to comment
Share on other sites

Hi Ian,

 

A) Mysql

B) SSL Different Domain

C) latest cvs

D) Tust for info: Above code change don?t work already tried it myself ;) When the change is in, the sid killer don?t work...

 

Ian tnx again for your great work and help.

Hope you find a good solution soon. :)

 

Alex

Link to comment
Share on other sites

Hi

 

I've installed the code and it works fine, however it does not work with the auto login contribution. Is there any way around this?

 

What happens is that once you are logged in and then you log out you end up in an infinite loop, whichever link tyou click on it forwards to logoff.php where the loop takes place.

 

I hope this can be resolved as I love the auto login contrib :)

 

Well done to Ian for all his hard work!

 

Andy

Link to comment
Share on other sites

  • 4 weeks later...
  • 3 weeks later...
  • 7 months later...

funny thing happened i was searching through the threads looking for a way to implament a sid killer and be successful until i ran accross Ian's idea sounded good anyway

 

so i stopped right there and did it only problem is when i went to my site i got caught up in an infanant loop of logging off so i cam back to the forum to let everyone know that there is something wrong with that code and realized i only read page one and were 17 other pages i should have read through lol

 

anyway yes i have auto login installed so any way arround this

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...