osCsid & why you SHOULD lose it

♥FWR Media · January 31, 2011

Many of you would have seen this post: -

What is the osCsid & why you must not loose it.

The title of this topic is very similar on purpose, partly humorous but also because the subject matter is related.

The reason I am starting this topic is that I recently saw an experienced and respected forum member give the following advice to a "low experience" user: -

Force cookies should not be used so you are correct in having it off.

I see this as dangerous or at least bad advice. There is no place in this day and age for the session to be carried via the querystring, it is a significant security hazard allowing such hack vectors as session riding etc.

Some dangers are: -

Hackers hijacking sessions.
Customers logging in as each other and seeing each others private details.
Customers copying links which have the session attached then posting the link on the web. ( leading to all sorts of problems including the above ).

By forcing cookie usage you are ensuring that your shop is far more secure for your customers. Forcing cookie usage should be the standard with querystring based sessions only used by those who CAN'T force cookie usage.

There are no drawbacks to setting up a shop in this way only positives.

What about customers who have cookies off?

Quite simply you cannot shop these days with cookies off. Virtually none of the big shops work if you have this setting, try adding to cart in Amazon.com and you'll get "Please Enable Cookies in your Web Browser to Continue.". Why? because it is insecure to have the session carried via the querystring.

If one of your customers attempts to purchase with cookies set to off in their browser then they will no doubt be used to not being able to buy anything on the web.

Who can't force cookie usage?

Those who are on cheap hosting with cheap ( not full ) shared SSL certificates cannot force cookie usage. In these cases the session has to be carried in the querystring but this should be changed to force cookies just as soon as the shop can afford it.

A small note on setting this up correctly: -

If you have to have the session id in the querystring it is imperative that it is set up correctly.

In admin>Configuration>Sessions Force Cookie Use must be false and Recreate Session must be true.

Persistent osCsid: Installations with incorrectly set up configuration files may have a persistent osCsid ( the osCsid is ALWAYS attached to the querystring ) this is very dangerous and can be solved simply by setting up the configure files correctly. Don't use the "hide the osCsid" contributions as they do more harm than good.

How do I tell if it is set up correctly? Close all browsers then open a new one visiting the front of your shop. If you hover over the links you will see the osCsid attached to all URLs. Now refresh the page and hover the links, the osCsid should be gone, if it isn't then your settings are incorrect and you have the very dangerous situation of persistent session id in the querystring.

What are the required settings to force cookie usage?

A full ( not shared ) SSL certificate that has been issued using the same domain as the site is accessed.

Example: -

If the shop is accessed as www.mysite.com then the certificate has to issued to www.mysite.com

If the shop is accessed without the www ( just mysite.com ) then the certificate has to be issued as just mysite.com

If the site access and the certificate issue is mismatched then the user will see a security warning.

Once the certificate is in place the osCommerce force cookie usage session settings in admin can be changed to on.

Never again will you see a link that has the osCsid attached. ( presuming the site code is good ).

Xpajun · January 31, 2011

Example: -

If the shop is accessed as www.mysite.com then the certificate has to issued to www.mysite.com

If the shop is accessed without the www ( just mysite.com ) then the certificate has to be issued as just mysite.com

If the site access and the certificate issue is mismatched then the user will see a security warning.

Robert,

When I initially had my SSL certificate set up, my hosting company informed me that it didn't matter whether the www. was there or not, it would work correctly.

I have to say that it seems to have...

♥FWR Media · January 31, 2011

Robert,

When I initially had my SSL certificate set up, my hosting company informed me that it didn't matter whether the www. was there or not, it would work correctly.

I have to say that it seems to have...

Maybe it was a wildcard certificate? My experiance was that many years ago I had trouble with this where the client bought an SSL cert as www.mysite.com and then set up shop access as just mysite.com.

spoofy · January 31, 2011

I have had a similar argument not too long ago. In addition to Amazon, you can try a lot of other stores I used in my examples: Target.com, BestBuy.com, BlueFly.com, Zappos.com, Walmart.com

Julian: You were probably setup on a wildcard SSL. Regular SSL will only work on the domain name it was issued for.

♥toyicebear · January 31, 2011

Actually some of the ssl certificate providers now gives you both with and without www included at no extra cost, so check around before purchasing a new SSL certificate.

♥FWR Media · January 31, 2011

Actually some of the ssl certificate providers now gives you both with and without www included at no extra cost, so check around before purchasing a new SSL certificate.

Yes, good point Nick. I have just looked into this and some do offer both.

Ah well my original point still stands but users with this type of cert simply don't need to worry about it.

ErikMM · January 31, 2011

Thank you Robert! +

I did as instructed, but RE: "How do I tell if it is set up correctly?," it appears I am set up incorrectly.

What do I do to "set up the configure files correctly"?

♥FWR Media · January 31, 2011

Thank you Robert! +

I did as instructed, but RE: "How do I tell if it is set up correctly?," it appears I am set up incorrectly.

What do I do to "set up the configure files correctly"?

Where are your files located on the server?

In the root ( site is accessed like www.mysite.com/

Or in a directory ( site is accessed like www.mysite.com/shop/ )

Also is your shop accessed using the www or without?

ErikMM · January 31, 2011

Where are your files located on the server?

In the root ( site is accessed like www.mysite.com/

Or in a directory ( site is accessed like www.mysite.com/shop/ )

Also is your shop accessed using the www or without?

For now it is in a directory.

I am going to change it to the root as soon as I go live/start selling.

No "www."

♥FWR Media · January 31, 2011

For now it is in a directory.

I am going to change it to the root as soon as I go live/start selling.

No "www."

Ok well firstly I'd recommend that you have your domain prefixed with www. but anyway: -

catalog/includes/configure.php

The below assumes: -

Your domain is mysite.com
You do not have SSL enabled
The directory that you have installed the site into is named shop

  define('HTTP_SERVER', 'http://mysite.com');
 define('HTTPS_SERVER', 'http://mysite.com');
 define('ENABLE_SSL', false);
 define('HTTP_COOKIE_DOMAIN', '.mysite.com');
 define('HTTPS_COOKIE_DOMAIN', '.mysite.com');
 define('HTTP_COOKIE_PATH', '/shop/');
 define('HTTPS_COOKIE_PATH', '/shop/');
 define('DIR_WS_HTTP_CATALOG', '/shop/');
 define('DIR_WS_HTTPS_CATALOG', '/shop/');

rwest · January 31, 2011

Hi FWR Media,

I turned Force Cookie Usage to on, and I started getting the message You must have cookies enabled in your browser. I am using Firefox, and I do have cookies enabled. I have been searching for others with this problem, and I have found several, but no fixes. Can you help?

Thanks,

Ron

♥FWR Media · January 31, 2011

Hi FWR Media,

I turned Force Cookie Usage to on, and I started getting the message You must have cookies enabled in your browser. I am using Firefox, and I do have cookies enabled. I have been searching for others with this problem, and I have found several, but no fixes. Can you help?

Thanks,

Ron

The SSL certificate has to be correct and the configure files have to be correct.

I can't really help without seeing the site.

rwest · January 31, 2011

As I couldn't get either my test site nor my production site to let me login, I'd like to get my test site working first.

My site is in a directory, and is accessed via www.mysite.com/test

My SSL cert is built on www.mysite.com

My catalog/includes/configure.php:

define('HTTP_SERVER', 'http://www.mysite.com/test');

define('HTTPS_SERVER', 'https://www.mysite/test');

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.mysite.com/test');

define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com/test');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

Ron

rwest · February 1, 2011

Ok, I used your post above as a model to make the following changes, which now seems to be working.

-thanks

  define('HTTP_SERVER', 'http://www.mysite.com');
 define('HTTPS_SERVER', 'https://www.mysite.com');
 define('ENABLE_SSL', true);
 define('HTTP_COOKIE_DOMAIN', 'www.mysite.com');
 define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com');
 define('HTTP_COOKIE_PATH', '/test/');
 define('HTTPS_COOKIE_PATH', '/test/');
 define('DIR_WS_HTTP_CATALOG', '/test/');
 define('DIR_WS_HTTPS_CATALOG', '/test/');

As I couldn't get either my test site nor my production site to let me login, I'd like to get my test site working first.

My site is in a directory, and is accessed via www.mysite.com/test

My SSL cert is built on www.mysite.com

My catalog/includes/configure.php:
  define('HTTP_SERVER', 'http://www.mysite.com/test');		
 define('HTTPS_SERVER', 'https://www.mysite/test');
 define('ENABLE_SSL', true);			// secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'www.mysite.com/test');
 define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com/test');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '/');
Ron

ErikMM · February 1, 2011

Ok well firstly I'd recommend that you have your domain prefixed with www. but anyway: -

catalog/includes/configure.php

The below assumes: -

Your domain is mysite.com

You do not have SSL enabled

The directory that you have installed the site into is named shop
  define('HTTP_SERVER', 'http://mysite.com');
 define('HTTPS_SERVER', 'http://mysite.com');
 define('ENABLE_SSL', false);
 define('HTTP_COOKIE_DOMAIN', '.mysite.com');
 define('HTTPS_COOKIE_DOMAIN', '.mysite.com');
 define('HTTP_COOKIE_PATH', '/shop/');
 define('HTTPS_COOKIE_PATH', '/shop/');
 define('DIR_WS_HTTP_CATALOG', '/shop/');
 define('DIR_WS_HTTPS_CATALOG', '/shop/');

I do have SSL so I did the above, but changed ENABLE_SSL to true.

I also added www @

define('HTTP_SERVER', 'http://mysite.com');
 define('HTTPS_SERVER', 'http://mysite.com');

but nothing changed at the site....still have no www, and persistent osCsid.

pdcelec · February 1, 2011

I do have SSL so I did the above, but changed ENABLE_SSL to true.

I also added www @
define('HTTP_SERVER', 'http://mysite.com');
 define('HTTPS_SERVER', 'http://mysite.com');
but nothing changed at the site....still have no www, and persistent osCsid.

define('HTTP_SERVER', 'http://mysite.com');

define('HTTPS_SERVER', 'https://mysite.com');

ErikMM · February 1, 2011

define('HTTP_SERVER', 'http://mysite.com');

define('HTTPS_SERVER', 'https://mysite.com');

I did have the "S."

SSL seems to be fine, and www is now working/there, but the oCsid is still persistent.

♥FWR Media · February 1, 2011

I did have the "S."

SSL seems to be fine, and www is now working/there, but the oCsid is still persistent.

Post the first 9 lines of the configure file as given in my posts above, also what is the directory where the shop is installed?

ErikMM · February 1, 2011

Post the first 9 lines of the configure file as given in my posts above, also what is the directory where the shop is installed?

1.define('HTTP_SERVER', 'http://www.mysite.com');

define('HTTPS_SERVER', 'https://www.mysite.com');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', '.mysite.com');

define('HTTPS_COOKIE_DOMAIN', '.mysite.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

2. mysite.com/catalog

♥FWR Media · February 1, 2011

1.define('HTTP_SERVER', 'http://www.mysite.com');

define('HTTPS_SERVER', 'https://www.mysite.com');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', '.mysite.com');

define('HTTPS_COOKIE_DOMAIN', '.mysite.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

2. mysite.com/catalog

Strange .. that is perfect .. could you PM me a link to the site please?

♥FWR Media · February 2, 2011

@erikMM

I checked your site there is nothing wrong with it.

On first load the osCsid is present, refresh and it is gone, this is standard operation. The only way to get rid of the osCsid totally is forcing cookie use.

♥Biancoblu · February 2, 2011

Thank you for this interesting topic. I recognize myself in the "low experienced user advised to keep force cookie usage set to off".

I have a question about my site...you say:

How do I tell if it is set up correctly? Close all browsers then open a new one visiting the front of your shop. If you hover over the links you will see the osCsid attached to all URLs. Now refresh the page and hover the links, the osCsid should be gone, if it isn't then your settings are incorrect and you have the very dangerous situation of persistent session id in the querystring.

My shop behaves like this, ie when I hover on the links I have the osCid in all urls, when I refresh and hover again, they're gone.

However these are my settings:

force cookie use: false

recreate session: false

If I set force cookie use to true, I lose the osCid completely.

I have a private SSL set up for www.mysite.com, which is the address my shop is accessed from, and my config file is like this:

define('HTTP_SERVER', 'http://www.mysite.com'); 
 define('HTTPS_SERVER', 'https://www.mysite.com');
 define('ENABLE_SSL', true); 
 define('HTTP_COOKIE_DOMAIN', '.mysite.com');
 define('HTTPS_COOKIE_DOMAIN', '.mysite.com');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '/');
 define('DIR_WS_HTTP_CATALOG', '/');
 define('DIR_WS_HTTPS_CATALOG', '/');

Are there errors anywhere? and what about the fact that I have force cookie use set to off and the shop still behaves they way you say it should?

♥FWR Media · February 2, 2011

Thank you for this interesting topic. I recognize myself in the "low experienced user advised to keep force cookie usage set to off".

I have a question about my site...you say:

My shop behaves like this, ie when I hover on the links I have the osCid in all urls, when I refresh and hover again, they're gone.

However these are my settings:

force cookie use: false

recreate session: false

If I set force cookie use to true, I lose the osCid completely.

Sounds like your shop is working perfectly and when you set force cookie use to true you should never see the osCsid in the url.

Are there errors anywhere? and what about the fact that I have force cookie use set to off and the shop still behaves they way you say it should?

All looks fine to me, if the shop all works perfectly with force cookie use set to true then I'd leave it like that. A good test is when changing from NON SSL to SSL .. like ..

1) Make sure you are logged out then add a product to cart.

2) Log in as a customer ( you should now be on SSL )

3) Check that the cart still contains its contents.

If the cart is correct then all seems to be working.

♥Biancoblu · February 2, 2011

Thank you for replying.

All looks fine to me, if the shop all works perfectly with force cookie use set to true then I'd leave it like that.

you meant to say force cookie set to false, right? which is how mine is set, just making sure I understand.

1) Make sure you are logged out then add a product to cart.

2) Log in as a customer ( you should now be on SSL )

3) Check that the cart still contains its contents.

I tried and yes it works exactly like that.

So what is the reason behind the fact that sometimes it works fine with force cookie use set to false, and sometimes not?

♥FWR Media · February 2, 2011

So what is the reason behind the fact that sometimes it works fine with force cookie use set to false, and sometimes not?

I haven't seen you describe this.

Could you explain to me exactly what happens when sometimes it doesn't work fine.

Archived

osCsid & why you SHOULD lose it

Recommended Posts

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites