Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Auto Login BUG


Recommended Posts

I downloaded this last nite and got it installed.

 

It appeared to be working nicely. However, when I went to this site,

 

http://www.searchengineworld.com/cgi-bin/s.../sim_spider.cgi

 

I discovered that with the autologin enabled, the spiders can't see your site, at all.

 

If anyone out there is useing this contribution, make sure you go there and see if spiders can see YOUR website.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

hey Wizards,

 

I noticed the same thing too when I installed it... it is because most spiders (maybe all) do not spider secure pages (HTTPS/SSL) and the autologin routine redirects through HTTPS.

 

a quick fix is to check if the user has cookies enabled. if they do, then do the autologin routine. if not, then do not do it b/c they are either a bot or have cookies disabled (neither of which can use the autologin anyways).

 

I just came up with this, installed it, and then tested on the search engine spider sim and my pages can now be spidered... also cookie users can still auto login.

 

HERE IT IS:

 

in includes/modules/autologin.php, place this code before the start of the autologin code (at the very top after the comments):

setcookie("TEMPCOOKIE", "CookieOn", time() + 60 * 60); 



$cookieinfo = $HTTP_COOKIE_VARS["TEMPCOOKIE"]; 



if ($cookieinfo == "CookieOn") {

 

basically sets a temp cookie to determine if cookies are enabled, and if so, then continues with the auto login routine. if not, then it is skipped over (no HTTPS redirect, so we get spidered!)

 

also, at the end of the autologin.php files, you will need to close the if statement, so put a } right before the closing ?>:

}

?>

 

Also, what I am thinking of doing, is that since only cookied users can use the autologin, only present the option to them on login.php using the same if statement (or perhaps placing it in application_top.php and setting a variable like $COOKIES_ENABLED = true and then the check for cookies would just become if ($COOKIES_ENABLED == true) to use across different pages to check if the user has enabled cookies.

 

Also, after the check, it might be a good idea to delete the temp cookie since we create it on every page to check for cookies enabled, but I haven't thought that far ahead.

The only thing necessary for evil to flourish is for good men to do nothing

- Edmund Burke

Link to comment
Share on other sites

Nice work!

 

OK, I'll put this in tonight, and I'll look at some of your other suggestions, as well.

 

I hadn't realized that spiders couldn't spider a site on SSL. In fact, I put almost the entire shop on SSL. In other words, once the customer hits a secure page, he says in secured pages until he leaves. That way there are no warnings that they are "about to leave a sucure page" and what not.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Wizards,

 

I changed it some... I moved the cookie test to application_top, so that on a few other pages, I can check if cookies are on alot easier...

 

so in application_top.php I added:

// Determine if cookies are enabled  

setcookie("TEMPCOOKIE", "CookieOn", time() + 60 * 60); 

$cookieinfo = $HTTP_COOKIE_VARS["TEMPCOOKIE"]; 

if ($cookieinfo == "CookieOn") {

global $cookies_on;

 $cookies_on = true;

}

 

I dunno if it matters where it goes, but I put if right after the require configure line (about line 35).

 

so then in modules/autologon.php, I took out the cookie check since I moved it to app_top, and use this now:

if ($cookies_on == true) {

 

then in /login.php, the part that was added in from the contrib for users to select if they want to be remembered, I changed from:

if (ALLOW_AUTOLOGON != 'false') {

to

if ((ALLOW_AUTOLOGON != 'false') && ($cookies_on == true)) {

this way, if a user has cookies disabled, they don't even see a hint of the autologin feature, since it doesn't work for them...

 

I think we have something now :D

The only thing necessary for evil to flourish is for good men to do nothing

- Edmund Burke

Link to comment
Share on other sites

  • 2 weeks later...

Hi,

 

sorry i am a dummy and cant figure out what do you mean by

 

so then in modules/autologon.php, I took out the cookie check since I moved it to app_top, and use this now:  

 if ($cookies_on == true) {

 

could you possibly explain what changes you made in

/catalog/includes/modulesautologon.php

and

/cataloge/login.php

 

thank you

 

Hats

Link to comment
Share on other sites

Hi Hatimad,

 

You are not a dummy ... it just sounds more complicated than it is. Add the text in red (I think it is around line 185ish in /catalog/includes/application_top.php):

 

// define how the session functions will be used

require(DIR_WS_FUNCTIONS . 'sessions.php');

tep_session_name('osCsid');

 

// Determine if cookies are enabled

setcookie("TEMPCOOKIE", "CookieOn", time() + 60 * 60);

$cookieinfo = $HTTP_COOKIE_VARS["TEMPCOOKIE"];

if ($cookieinfo == "CookieOn") {

global $cookies_on;

$cookies_on = true;

}

 

// include the database functions

require(DIR_WS_FUNCTIONS . 'database.php');

 

Edit the very bottom of the same file where it says HMCS:Begin Autologon (Remember the green text is already there ... just add the code in red):

 

// HMCS: Begin Autologon ******************************************************************

if ($cookies_on == true) {

if (ALLOW_AUTOLOGON == 'true') { // Is Autologon enabled?

if (basename($PHP_SELF) != FILENAME_LOGIN) { // yes

if (!tep_session_is_registered('customer_id')) {

include('includes/modules/autologon.php');

}

}

} else {

setcookie("email_address", "", time() - 3600, $cookie_path); //no, delete email_address cookie

setcookie("password", "", time() - 3600, $cookie_path); //no, delete password cookie

}

}

// HMCS: End Autologon ******************************************************************

 

I hope this is useful to you.

Link to comment
Share on other sites

Hi Mike,

 

thanks a lot, i did exactly what you said but it still shows the SID along with my default.php

 

am i suppose to make any changes in

 

/catalog/includes/modules/autologon.php

and

/cataloge/login.php

 

thanks for your help

 

hats

Link to comment
Share on other sites

i tried to install SID killer few days ago, but since autologon was installed it didnt let it work. it will get stuck at the logoff and wont go ahead, and show me the blank page

 

 

i will try to install it again since i have applied your fix to the autologon contibution and let you know

 

thanks for your help

 

Hats

Link to comment
Share on other sites

ohh... sorry for not replying earlier... quite some time ago I dumped the autologin... I had it installed for about 30 minutes and decided, ya know its just not worth it... its a neat idea, but the way it works, re-reouting every page through login/logoff.php just makes for alot of headaches...

 

it is a great idea I think, just needs to be worked on some I think.

The only thing necessary for evil to flourish is for good men to do nothing

- Edmund Burke

Link to comment
Share on other sites

Hatimad,

 

as far as I know, the Sid Killer will not work properly is you have SSL on a different server as you regular domain.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

ok, i just now removed the autologon contribution and installed SID Killer v1.2

 

i checked my site at http://www.searchengineworld.com/cgi-bin/s.../sim_spider.cgi and there is no session ID attached to the links

 

as far as I know, the Sid Killer will not work properly is you have SSL on a different server as you regular domain

 

is there any known problem i am missing?

 

thanks

Link to comment
Share on other sites

Well, many people have problems with it logging me out when I go from a SSL page to a non SSL page.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

  • 8 months later...

Guys.....for some reason this mod isn't physically installing a cookie on my machine. I've done everything I can......but no luck.

 

I do have cookies enabled, and am getting them from other sites. I tested it using the code above, and cookies are on...

 

I actually get a cookie on my machine (the temp test cookie) but I don't get the actual logon cookie.

 

Guys?

 

Thanks,

-Chris

Edited by blueline

Chris Sullivan

Link to comment
Share on other sites

Guys.....for some reason this mod isn't physically installing a cookie on my machine. I've done everything I can......but no luck.

 

I do have cookies enabled, and am getting them from other sites. I tested it using the code above, and cookies are on...

 

I actually get a cookie on my machine (the temp test cookie) but I don't get the actual logon cookie.

 

Guys?

 

Thanks,

-Chris

Hey Chris,

 

I had the same problem...I've been working on getting this implemented on my site but have been very frustrated. What I found was the problem for me was that I was using the "Use Search -Engine Safe URLs" option but contribution works off of a PHP get path which pulled up "action" for my path. Try sorting your cookies by when they were last modified and play around with it. My cookies were coming up with the domain "action." You need to go into the code if you are having this problem...

 

Hope that helps...

 

Although I'm having a problem of my own. The Autologon feature works great on my computer, but whenever I use my brother's computer, login, close the browser, and open up the site again, I get automatically sent to a secured logoff page. So maybe someone can help me with that one?

 

Maybe the wizards might return and give some help...

 

Thanks

 

-Aaron

Edited by aedmonds
Link to comment
Share on other sites

Actually, I am not getting a cookie installed at all. I tried the "test" cookie process in application_top and that works, but the auto login cookies just don't install....

Is your "test" cookie being called with the PHP setcookie function or the OSC tep_setcoookie function? I changed all of mine to use the tep_setcookie function...not sure if that makes any difference... <_<

 

Another thing I did was I changed all of the:

$cookie_url_array = parse_url((ENABLE_SSL == true ? HTTPS_SERVER : HTTP_SERVER) . substr(DIR_WS_CATALOG, 0, -1));
$cookie_path = $cookie_url_array['path'];

to the following:

if (function_exists('session_set_cookie_params')) {
session_set_cookie_params(0, $cookie_path, $cookie_domain);
} elseif (function_exists('ini_set')) {
 ini_set('session.cookie_lifetime', '0');
 ini_set('session.cookie_path', $cookie_path);
 ini_set('session.cookie_domain', $cookie_domain);
}

 

Not sure if that has any effect either...guess we'll find out now, won't we....

 

Can somebody tell me if that will effect OSC in any negative way?

 

Thanks

 

-Aaron

Link to comment
Share on other sites

Actually, the "test" cookie is being called with the setcookie function that comes with PHP. That works.

 

The other cookie which is being called by the tep_setcookie function is not working.

 

I have included the code below so that you can see.

 

The "test" cookie

// Determine if cookies are enabled  
setcookie("TEMPCOOKIE", "CookieOn", time() + 60 * 60); 
$cookieinfo = $HTTP_COOKIE_VARS["TEMPCOOKIE"]; 
if ($cookieinfo == "CookieOn") {
global $cookies_on;
$cookies_on = true;
}

 

The "autologin" cookie

// HMCS: Begin Autologon	******************************************************************
if ($cookies_on == true) { 
if (ALLOW_AUTOLOGON == 'true') {                                // Is Autologon enabled?
 if (basename($PHP_SELF) != FILENAME_LOGIN) {                  // yes
   if (!tep_session_is_registered('customer_id')) {
     include('includes/modules/autologon.php');
}
 }
} else {
 setcookie("email_address", "", time() - 3600, $cookie_path);  //no, delete email_address cookie
 setcookie("password", "", time() - 3600, $cookie_path);       //no, delete password cookie
}
}
// HMCS: End Autologon  ******************************************************************

 

Thanks a bunch guys.

-Chris

Chris Sullivan

Link to comment
Share on other sites

Actually Chris, the autologn cookie code that you posted is only deleting the cookie. Notice how it is giving a value of "" and the time is set for the past.

 

Lets see what is in your autologon.php code...

Link to comment
Share on other sites

Here ya go. Thanks for the help.

 

<?php
/*
 $Id: autologon.php,v 1.11 2003/01/18 20:00:00  Exp $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce
 Copyright (c) 2003 HMCservices
 Released under the GNU General Public License
*/
if ($cookies_on == true) {

$cookie_url_array = parse_url((ENABLE_SSL == true ? HTTPS_SERVER : HTTP_SERVER) . substr(DIR_WS_CATALOG, 0, -1));
$cookie_path = $cookie_url_array['path'];	
if (($email_address != "") && ($password != "")) {
 $check_customer_query = tep_db_query("select customers_id, customers_firstname, customers_lastname, customers_password, customers_email_address, customers_default_address_id from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "'");
 if (tep_db_num_rows($check_customer_query)) {
   $check_customer = tep_db_fetch_array($check_customer_query);
   if (tep_validate_password($password, $check_customer['customers_password'])) {
      if (SESSION_RECREATE == 'True') {
         tep_session_recreate();
       }
     $check_country_query = tep_db_query("select entry_country_id, entry_zone_id from " . TABLE_ADDRESS_BOOK . " where customers_id = '" . $check_customer['customers_id'] . "' and address_book_id = '" . (int)$check_customer['customers_default_address_id'] . "'");
     $check_country = tep_db_fetch_array($check_country_query);

     $customer_id = $check_customer['customers_id'];
     $customer_default_address_id = $check_customer['customers_default_address_id'];
     $customer_first_name = $check_customer['customers_firstname'];
     $customer_country_id = $check_country['entry_country_id'];
     $customer_zone_id = $check_country['entry_zone_id'];
     if(!tep_session_is_registered('customer_id'))
         tep_session_register('customer_id');
     if(!tep_session_is_registered('customer_default_address_id'))
         tep_session_register('customer_default_address_id');
     if(!tep_session_is_registered('customer_first_name'))
  tep_session_register('customer_first_name');
     if(!tep_session_is_registered('customer_country_id'))
         tep_session_register('customer_country_id');
     if(!tep_session_is_registered('customer_zone_id'))
         tep_session_register('customer_zone_id');

     setcookie('email_address', $email_address, time()+ (365 * 24 * 3600), $cookie_path, '', ((getenv('HTTPS') == 'on') ? 1 : 0));
     setcookie('password', $check_customer['customers_password'], time()+ (365 * 24 * 3600), $cookie_path, '', ((getenv('HTTPS') == 'on') ? 1 : 0));
     $date_now = date('Y-m-d');
     $qr = "update " . TABLE_CUSTOMERS_INFO . " set customers_info_date_of_last_logon = now(), customers_info_number_of_logons = customers_info_number_of_logons+1 where customers_info_id = '" . $customer_id . "'";
     tep_db_query($qr);
     $cart->restore_contents();    // restore cart contents
   }
 }
} else {
 if($autologon_executed != 'true'){
   $autologon_page = '<html><head><meta http-equiv="Refresh" content="0;URL=' . tep_href_link(FILENAME_LOGOFF, '', 'SSL') . '"></head><body></body></html>';
   $autologon_link = ((getenv('HTTPS') == 'on') ? 'https://' : 'http://') . $SERVER_NAME . $REQUEST_URI . (strpos($REQUEST_URI, "?") ? '&' : '?') . SID;
   $autologon_executed = 'true';
   if(!tep_session_is_registered('autologon_link'))
       tep_session_register('autologon_link');
   if(!tep_session_is_registered('autologon_executed'))
tep_session_register('autologon_executed');
   tep_session_close();
   exit($autologon_page);
 }
}
if (tep_session_is_registered('autologon_link')) {
 $x = $autologon_link;
 tep_session_unregister('autologon_link');
 tep_redirect($x);
}
}
?>

 

Thanks again/

Chris Sullivan

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...