Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

v2.3.2 upgrade experience from v2.3.1


tgely

Recommended Posts

Hi,

 

thanks for new release first! It works.

 

I upgraded my shop and give some advices if you dont mind.

 

If you use Security Pro by FWR Media the return links dont works.

 

adding excludes if need:

 

  $security_pro->addExclusion('password_reset.php');
 $security_pro->addExclusion('password_forgotten.php');

 

 

HTMl email updates needed for password_forgotten.php templates.

 

 

I have tested a lot.

If customers loged in before she/he can reach password_forgotten.php on direct link (http://myshop/password_forgotten.php). This is weird and login page can displaying again when customers logged in.

 

 

Regards,

Gergely

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

  • Replies 75
  • Created
  • Last Reply

@@ianhaney

 

I don't think that you are able to judge the changes of version 2.3.2

 

Version 2.3.2 is a major security improvement, there is quite alot of work in it and the subject is quite complicated

 

It's completely indifferent and of no interest for anyone what you will do with your own store.

 

Anyone should do the upgrade

 

EDIT: And please don't hijack the topic, let's discuss here possible issues etc with the upgrade, connected to addons etc

Link to comment
Share on other sites

If you use Security Pro by FWR Media the return links dont works.

 

adding excludes if need:

 

  $security_pro->addExclusion('password_reset.php');
 $security_pro->addExclusion('password_forgotten.php');

 

Nice catch, thank you Gergely.

 

If customers loged in before she/he can reach password_forgotten.php on direct link (http://myshop/password_forgotten.php). This is weird and login page can displaying again when customers logged in.

 

I added

 


if (tep_session_is_registered('customer_id')) {
 tep_redirect(tep_href_link(FILENAME_ACCOUNT, '', 'SSL'));
}

 

in the password_forgotten.php and password_reset.php files, underneath; require('includes/application_top.php');

 

When a person is already logged in, it is undesirable to allow them to use the new reset functionality.

 

 

Cheers, Gary

Link to comment
Share on other sites

Hi Gary..

 

I added

 

if (tep_session_is_registered('customer_id')) {
 tep_redirect(tep_href_link(FILENAME_ACCOUNT, '', 'SSL'));
}

 

in the password_forgotten.php and password_reset.php files, underneath; require('includes/application_top.php');

 

When a person is already logged in, it is undesirable to allow them to use the new reset functionality.

 

That's not really necessary for password_reset.php as it redirects the customer to password_forgotten.php when no valid e-mail address or password reset key exists in the url.

 

Kind regards,

:heart:, osCommerce

Link to comment
Share on other sites

 

If you use Security Pro by FWR Media the return links dont works.

 

adding excludes if need:

 

  $security_pro->addExclusion('password_reset.php');
 $security_pro->addExclusion('password_forgotten.php');

 

 

Nice catch, thank you Gegerly

 

Could anyone please tell me where to add that exclude code exactly? in what file?

 

Thanks

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites

if (tep_session_is_registered('customer_id')) {
 tep_redirect(tep_href_link(FILENAME_ACCOUNT, '', 'SSL'));
}

 

in the password_forgotten.php and password_reset.php files, underneath; require('includes/application_top.php');

That's not really necessary for password_reset.php as it redirects the customer to password_forgotten.php when no valid e-mail address or password reset key exists in the url.

 

I just checked following 2 cases and in bot the system reacts correctly displaying the message " The password reset link was not found in our records, please try again by generating a new link. " and redirecting to password_forgotten.php

 

case 1

 

- click on password forgotten

- enter email

- click on emailed link and login

- click again on emailed link

 

Case 2

- click on password forgotten

- enter email

- login with original (old) password

- click on emailed link

 

Not correct is, as @@Gergely pointed, that after password_forgotten.php, clicking "back" I arrive to login.php even logged in, so @@burt addition makes a sense

Link to comment
Share on other sites

Not correct is, as @@Gergely pointed, that after password_forgotten.php, clicking "back" I arrive to login.php even logged in, so @@burt addition makes a sense

 

So the redirect to FILENAME_ACCOUNT can/should be added to password_forgotten.php and login.php...? These links are not visible anywhere after the customer has logged in - the only hole is if a logged in customer wants to change their password but have forgotten their existing password and seem to go to password_forgotten.php/login.php somehow. (instead of the technically correct logout -> password forgotten method)

:heart:, osCommerce

Link to comment
Share on other sites

@@Biancoblu

 

Hi,

 

in application_top.php

 

After this code:

 // Security Pro by FWR Media
 include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
 $security_pro = new Fwr_Media_Security_Pro;

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

@@Gergely

 

Thanks, I appreciate it.

 

Gary and Harald were also telling me in chat that you can also add the excludes to /includes/modules/fwr_media_security_pro.php, line 50.

 

Thought I'd share in case anybody else wonders.

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites

So the redirect to FILENAME_ACCOUNT can/should be added to password_forgotten.php and login.php...? These links are not visible anywhere after the customer has logged in - the only hole is if a logged in customer wants to change their password but have forgotten their existing password and seem to go to password_forgotten.php/login.php somehow. (instead of the technically correct logout -> password forgotten method)

 

There are cases where somebody can arrive to password_forgotten.php/login.php, eg the 2 cases as above or in case a store has direct links to those pages placed somewhere, without taking care that links appear only of user is not logged in

 

While we could say that direct links are a store owners problem (to be more careful about how he create links) the chance to get to that pages via expected user behavior is there.

 

People often click multiple times in links.

 

Other option would be that password_reset.php log visitor out by default?

Link to comment
Share on other sites

Hi @@Harald Ponce de Leon,

 

the "hole" is not simple. I can log in as customer but my wife forgot her password for the same shop. So I can generate to help her a new password forgotten link using her email address. Why not?

 

We have to decide this: is it usefull for logged customers or not allowed to get new password forgotten link?

 

the upgrade is perfect but I was the silly user :-)

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

My thought is that logged_in customers should not be able to access the new reset functionality.

They know already their password, and they can change it via the account screen.

 

It seems to me a little strange, for even a husband/wife, to share such details.

Link to comment
Share on other sites

@@Biancoblu

 

@@Gergely

 

Thanks, I appreciate it.

 

Gary and Harald were also telling me in chat that you can also add the excludes to /includes/modules/fwr_media_security_pro.php, line 50.

 

Thought I'd share in case anybody else wonders.

 

Yes the class functions works everywhere :-) Robert is a good programmer.

 

I said this because FWR gives this instructions in his code

 

 // Security Pro by FWR Media
 include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
 $security_pro = new Fwr_Media_Security_Pro;
 // If you need to exclude a file from cleansing then you can add it like below
 //$security_pro->addExclusion( 'some_file.php' );

 

but in the module array would be nicer place. Use somehow as you like.

 

There are a lot of fix possibilities.

 

// Array of files to be excluded from cleansing, these can also be added in application_top.php if preferred using Fwr_Media_Security_Pro::addExclusion()

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

@@burt

It seems to me a little strange, for even a husband/wife, to share such details.

 

:D

I saved my computer boot/BIOS with passwords and bought my wife a new laptop. Its a perfect fix when you are married! :thumbsup:

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

My thought is that logged_in customers should not be able to access the new reset functionality.

They know already their password, and they can change it via the account screen.

 

I agree with this, things should be separated: A logged in customer, should not be able to access login. create account, password forgotten and the new password reset

Link to comment
Share on other sites

Consider this scenario:

 

A customer has their browser remembering passwords. They share the store login credentials and computer with their significant other. Well, things didn't go well in the relationship! They go their separate ways. The main account holder decides to change the password, but they don't remember it (the browser is remembering it for them). The change password functionality on the account_password.php page requires the user to enter their current password. If they don't know the current password and they are logged in, how would they go about changing/resetting their password?

 

Remember, our customers may not think about internet security as we may.

 

Keep in mind that the password link will expire after 24 hours or after the action has been completed which ever comes first. Allowing "logged in" users access to the reset password functionality may be OK??? What do you think about this?

Link to comment
Share on other sites

@@PassionSeed

 

This is not as complicated as you say. The logged in customers can change everything in accounts (account.php) but not should be able to reach direct to password_forgotten.php link for example go back in browser or type in the password_forgotten.php in the URL line or click outdated link in emails. (Email links redirect customers into password_forgotten.php page if changed password and links is outdated)

 

The redirect is not good in password_reset.php and need to change it for mail outdated links. Easy to fix it but this issue need to clear direct link problems later as navigation errors.

 

 

possible fix in password_reset.php for outdated links

 

if (tep_session_is_registered('customer_id')) {
 //go account line and say helo silly users :-)
 tep_redirect(tep_href_link(FILENAME_ACCOUNT_PASSWORD));
}

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

@@burt first fix is the better way. I would complete account_password.php functionality with silly users notifications and used history class to build session notes.

 

There are need to separate outdated and live links

 

2 Cases:

 

The live link:

"You are already logged in. Use your account to change password. If you clicked a non intrested link logoff before the store and click again to change the other user password."

 

Outdated link:

"You are already logged in. Use your account to change password."

 

Regards,

Gergely

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

I said this because FWR gives this instructions in his code

 

 // Security Pro by FWR Media
 include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
 $security_pro = new Fwr_Media_Security_Pro;
 // If you need to exclude a file from cleansing then you can add it like below
 //$security_pro->addExclusion( 'some_file.php' );

 

but in the module array would be nicer place. Use somehow as you like.

 

There are a lot of fix possibilities.

 

Robert (@@FWR Media) is going to release an update to the Add-On soon with an official fix :thumbsup:

 

Kind regards,

:heart:, osCommerce

Link to comment
Share on other sites

Hello,

 

I updated all the files as per the instructions. However, when I click on password forgotten button and enter my email address, it gives an error: "Error: A password reset link has already been sent. Please try again in 5 minutes." Doesn't matter what I do, I can't go pass that error. What am I missing here?

 

Please help...

Link to comment
Share on other sites

Hi Irina..

 

I updated all the files as per the instructions. However, when I click on password forgotten button and enter my email address, it gives an error: "Error: A password reset link has already been sent. Please try again in 5 minutes." Doesn't matter what I do, I can't go pass that error. What am I missing here?

 

You have to install and enable the Customer Password Reset Action Recorder module which is described near the end of the upgrade guide.

 

 

The Customer Password Reset Action Recorder module must be enabled at the following page:

 

Administration Tool -> Modules -> Action Recorder -> Install Module -> Customer Password Reset -> Install Module

 

Kind regards,

:heart:, osCommerce

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...