Jump to content

Archived

This topic is now archived and is closed to further replies.

spooks

What is the osCsid & why you must not loose it.

Recommended Posts

What is the osCsid & why you must not loose it.

 

This issue keeps raising its ugly head & many seem confused, so I will endeavor to give some light to the problems.

 

The session id (sid or osCsid) is used by e-commerce applications to keep track of users as they browse the site to ensure the store knows who the user is so which is their basket & account.

 

The sid is stored within the url and/or cookie (if available). So a url with sid would look like: http://www.domain-one.com/index.php?osCsid...52r43tWEFw34352

 

Clearly to ensure proper working of the above you must ensure no links to your site contain a sid either within search engines index (Prevent Spider Sessions), other sites linking to you or any links within your own site. If this does occur you can get users finding they are accessing another's account, orders getting mixed up and even billing going awry. There is a new tag (canonical) which could help you avoid this problem with search engines, though you must avoid this problem occurring in the first place.

Example of use for product_info.php is:

<link rel="canonical" href="<?php echo tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . (int)$_GET['products_id'],NONSSL,false); ?>" />

Equally when a user is on the site osC needs to ensure the users sid is kept throughout the visit, as if it is lost at any time the application will consider they are a new visitor, so they would loose the cart content, suddenly find their logged out again or even get lost halfway through checkout!!

 

osC keeps the users sid between pages through use of the tep_href_link function, so all links must use tep_href_link to ensure the sid remains, you can circumvent this issue with 'Force Cookie Use' where since the sid is stored within the cookie if it is lost through any 'bad' code it can be picked up from there again.

 

So should you create your own links and simply use something like

<a href="index.php">Back Home</a>

you are creating some major problems for yourself. Instead you should put

<a href="<?php echo tep_href_link(FILENAME_DEFAULT); ?>">Back Home</a>

 

The sid is also used by some contributions (like Anti Robot Registration Validation) where the sid is used as the root for creation of the code presented to the user, so if its missing code generation will not work.

 

Contributions that may help if you have issues:

 

SID Killer http://addons.oscommerce.com/info/952

Duplicate Content Manager http://addons.oscommerce.com/info/6214

 

 

For further reading see: http://www.oscommerce.info/kb/osCommerce/D...plementations/4

 

and http://www.oscommerce.info/kb/168

 

I hope that makes things clearer. ;)


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Another way you can loose sid is through the use of links to anchors on a page, like

 

<a href="<?php echo tep_href_link(FILENAME_DEFAULT,'action=default#information'); ?>">More Info</a>

 

the trouble with this is should the url contain a sid, the resulting link will be:

 

http://www.domain-one.com/index.php?action...52r43tWEFw34352

 

since the sid occurs after the anchor link its ignored, so sid lost and disaster.

 

The answer is to either don't use anchors, or test for the sid & don't use anchors if it exists.

 

IE at top of page you have

 

$sess_id = (tep_not_null(SID));

 

then the above link would become

 

<a href="<?php echo tep_href_link(FILENAME_DEFAULT,'action=default' . ($sess_id ? '' : '#information')); ?>">More Info</a>

 

I hope thats useful to some. :)


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Another place you can loose sid is through forms, if you creat a form with pure html like:

 

<form name="contact_us" action="<?php echo FILENAME_CONTACT_US ?>" method="get"> Name: <input type="text" name="name"> More Text <input type="submit" value="Submit"> </form>

 

As the form action does not contain the sid, its lost!!

 

the correct method is:

 

<?php echo tep_draw_form('contact_us', tep_href_link(FILENAME_CONTACT_US, 'action=send'), 'get'); ?>

Name:  <?php echo tep_draw_input_field('name'); ?>

More Text <?php echo tep_image_submit('button_continue.gif', IMAGE_BUTTON_CONTINUE); ?>

</form>

 

Note the use of tep_href_link within the form.

 

 

 

If your writing your own code, the details for the tep_href_link function are:

 

tep_href_link($page, $parameters , $connection, $add_session_id , $search_engine_safe )

 

$page is the page you are linking to.

$parameters is parameters for the url (action=send etc)

$connection is SSL or NONSSL

$add_session_id is normally 'true' so sid is added

$search_engine_safe if set to true and SEARCH_ENGINE_FRIENDLY_URLS is set to 'true' (in admin) sef url's are created.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

First of all, thanks for your helpfull arguments.

I need help on two issues.

 

1) :blush: I'm not able to write the right code for a "background-image" inside a table and in a td

 

<table border="0" cellspacing="0" cellpadding="0" background-image="<?php tep_image(... etc

 

2) I put the McAfee Secure image and its link in my header.php

I was able to quite let it work just creating a new function like tep_href_lonk and deleting the home references.

I have the problem that as it adds the SID at the end of the link, this it doesn't open McAfee certificate page.

But the question is, is it good to have it in the header ?

I mean, thinking to this SID issue...

 

Just to undertsand how it works, WHERE and HOW is better to put the SSL GoDaddy Link ? Same for McAffeee.

If for example they are in the footer.php does it needed to change the code the same ?

Or the loss of SID is just at the top of pages ?

 

Thanks in advance for patience,

I'm not a php programmer and I'm learning.

Share this post


Link to post
Share on other sites

Hello,

 

this will break the SID ?

 

<table border="0" width="800" cellspacing="0" cellpadding="0" align="center" style="border:1px solid #000000; background-image:url(../img/backlogo.jpg);">

 

Thanks

Share this post


Link to post
Share on other sites

You don`t want the sid on links to external pages, you can tell tep_href_link to not add the sid with:

 

tep_href_link('my_link.php, '',NONSSL,false);

 

note the 'false' in the 4th argument, However as tep_href_link is for internal links on your site it will add http://www.your_domain.com to the link, which is not what you want

 

As this is an external link you can just use the likes of use <a href="http://www.other site.html">Other Site</a>

 

or you could use redirect.php


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

No, its not a link!!!


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
No, its not a link!!!

 

Thank you.

:blush: Another thing.

 

The script for GoDaddy SSL certificate has a script:

 

<script type="text/javascript" src="https://seal.godaddy.com/getSeal?sealID=XXX" target="_blank"></script>

 

Does this will break SID ? How can be changed this one ?

Thanks a lot !

Share this post


Link to post
Share on other sites

As before, its linking off site, so no problem.

 

:D


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
As before, its linking off site, so no problem.

 

:D

 

 

Sorry to bother you...

 

PLEASE !

 

I think I changed all the tep_href_link...

I tried Force Cookie Use... both as False and then as True...

I tried Image Required as False and True...

 

NOTHING !

 

I still have the lost SID red alert !

 

If I check in Admin the page Who's On Line I can see myself, but ID is 0.

Is this right ?

 

I begin to think I probably have some problems with Database... I mean,

how to check if it records the SID and then it gives it back ?

 

What can I also check ???

I think to have installed the contribution in the right way...

HELP!!!

 

-----------------------

I put an .htaccess file inside include folder with this code:

 

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

 

Is it right ? Or is it wrong ?

----------------------

Share this post


Link to post
Share on other sites

Please don`t make duplicate posts, its against forum rules & annoys many. I personally tend to ignore such posters & will also generally slow any responce.

 

I`ve uploaded a new version of the package if you look in the other thread you put this in!!!!


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Sorry for that.

I don't know where to put my head to see the contribution working...

Share this post


Link to post
Share on other sites
Sorry for that.

I don't know where to put my head to see the contribution working...

 

 

Siamo spiacenti, non capisco, hai provato la nuova versione, o hai bisogno di vedere una demo?


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
Siamo spiacenti, non capisco, hai provato la nuova versione, o hai bisogno di vedere una demo?

 

 

Not bad your italian !

It looks like you used some web-translator, anyway ! :rolleyes:

 

I'm checking files...

But, the thing I don't understand is... WHY all those sql versions ?

And why there are not info in the help/install notes ?

 

In the folder I upload, there was only one...

Probably something was missing?

 

About these release...

Which SQL file do I have to use?

 

Then, there's no reference to LINKS_SUBMIT-PAGe: what is it?

Do this has to be installed ?

 

If I run the last SQL file, the 3.0 is it enough?

 

If you re-wrote all previous code, as I have many add-ons and not a new/clear installation,

do I have to delete all codes of previous version?

 

GRAZIE PER L'AIUTO !

 

I don't think I have to see a demo, I understood how the contribution should works...

I would like my e-store to be ready to publish, it's almost 1 year I'm working with...

And it's not something particoularly incredible (talking about graphic or visual impact...).

I hope to solve this issue.

Share this post


Link to post
Share on other sites

Yes, my mate Google writes my Italian for me!!!

 

I will reply in the contrib thread, as this don`t belong here.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Hi Sam,

 

Apologies for bothering you but I tried this

 

<a href="<?php echo tep_href_link(FILENAME_CONTACT_US); ?>">Contact Us</a>

which brought up an error page which states somthing similar to

 

URL /catalog/ not found on this server.

 

Not sure what I am doing wrong.

Share this post


Link to post
Share on other sites

You have errors in your configuration

 

typical config files:

 

CATALOG/ADMIN/INCLUDES/CONFIGURE.PHP

define('HTTP_SERVER', 'http://www.my-site.co.uk');

define('HTTP_CATALOG_SERVER', 'http://www.my-site.co.uk');

define('HTTPS_CATALOG_SERVER', 'http://www.my-site.co.uk');

define('DIR_WS_HTTP_CATALOG', '/servername/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/servername/catalog/');

define('ENABLE_SSL_CATALOG', 'false');

define('DIR_FS_DOCUMENT_ROOT', '/home/servername/public_html/catalog/');

define('DIR_WS_ADMIN', '/catalog/admin/');

define('DIR_FS_ADMIN', '/home/servername/public_html/catalog/admin/');

define('DIR_WS_CATALOG', '/catalog/');

define('DIR_FS_CATALOG', '/home/servername/public_html/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

CATALOG/INCLUDES/CONFIGURE.PHP

define('HTTP_SERVER', 'http://www.my_site.co.uk');

define('HTTPS_SERVER', 'http://www.my_site.co.uk');

define('ENABLE_SSL', false);

define('HTTP_COOKIE_DOMAIN', 'www.my_site.co.uk');

define('HTTPS_COOKIE_DOMAIN', 'www.my_site.co.uk');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/home/servername/public_html/catalog/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

define('DB_SERVER', 'Localhost');

define('USE_PCONNECT', 'false');

define('STORE_SESSIONS', 'mysql');

 

if your store is in the root remove catalog/ above

I suspect you have catalog/ in there, but have a root based site


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Thanks for the response Sam.

 

I compared those files and the only difference is that I have the following two lines missing from my admin includes

 

define('DIR_WS_HTTP_CATALOG', '/servername/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/servername/catalog/');

 

All the other entries match. Not sure what to do?

Share this post


Link to post
Share on other sites

Opps and one more thing.

 

When you say remove "catalog" I am not sure which lines you are referring to. And yes the store is root based.

Share this post


Link to post
Share on other sites

as in where-ever catalog/ appears, remove it, so:

 

define('DIR_WS_HTTP_CATALOG', '/servername/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/servername/catalog/');

becomes

 

define('DIR_WS_HTTP_CATALOG', '/servername/');
define('DIR_WS_HTTPS_CATALOG', '/servername/');


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Whoa no good. Did as you suggested and the page loads with a whole bunch of errors and with a whole bunch of /.../...catalog not found messages.

Share this post


Link to post
Share on other sites

you seem to have a strange site then??

 

To clarify tep_href_link uses HTTP_SERVER and DIR_WS_HTTP_CATALOG or ssl versions

 

 

 

Can you give the precise error shown & perhaps a url?

 

Is it a template?


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

No template. The website can be view here and no SSL yet. Note that I don't have to type "www" in the url for the website.

 

Okay what I did was to remove all references to catalog in both files. So as an example this is what it looked like for the catalog/includes/configure.php

 

<?php
 define('HTTP_SERVER', 'http://website url');
 define('HTTPS_SERVER', 'http://website url');
 define('ENABLE_SSL', false);
 define('HTTP_COOKIE_DOMAIN', 'website url');
 define('HTTPS_COOKIE_DOMAIN', 'website url');
 define('HTTP_COOKIE_PATH', '');
 define('HTTPS_COOKIE_PATH', '');
 define('DIR_WS_HTTP_CATALOG', '');
 define('DIR_WS_HTTPS_CATALOG', '');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', '/home/servername/public_html/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');
?>

 

and for the admin/includes/configure

 

<?php
 define('HTTP_SERVER', 'http://website url');
 define('HTTPS_SERVER', 'http://website url');
 define('ENABLE_SSL', false);
 define('HTTP_COOKIE_DOMAIN', 'website url');
 define('HTTPS_COOKIE_DOMAIN', 'website url');
 define('HTTP_COOKIE_PATH', '');
 define('HTTPS_COOKIE_PATH', '');
 define('DIR_WS_HTTP_CATALOG', '');
 define('DIR_WS_HTTPS_CATALOG', '');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', '/home/servername/public_html/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');
?>

 

Are the amendments correct? If yes, I'll try uploading again and see what errors and post them here.

Share this post


Link to post
Share on other sites

No, why do you think u have a root site, you have a catalog based site, so u must not remove catalog/

 

I hope u realise u must replace servername with that for your server

 

so

'DIR_WS_HTTP_CATALOG'

 

is iether

define('DIR_WS_HTTP_CATALOG', '/servername/');

or in your case

 

define('DIR_WS_HTTP_CATALOG', '/servername/catalog/');

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Okay I see. I'll try again this time bearing in mind that it's not at root. I'll report back here if there are any errors.

 

Thanks Sam.

Share this post


Link to post
Share on other sites

×