Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Force Cookie usage


Vger

Recommended Posts

I have been trying to enable the 'force cookie usage' option via the control panel, so that users whose browsers accept cookies won't have to use a session id (which can create a security problem). However, when I set this to true, and go to the site to login I end up on the cookie_usage.php page which tells me that my browser won't accept cookies (which is nonsense). Anyone else had this problem and know of possible solutions to it?

 

Many Thanks - Vger

Link to comment
Share on other sites

I'm also having troubles with this. I've just started to experiment with osC. Right now I'm developing locally in Windows running Apache 2/mySQL/PHP 4. Cookies are enabled in my browser, and I'm asking it to force cookie usage, but when I try to check out or do anything requiring cookies, I go to the cookies_usage.php.

 

Thanks, -Mike

Link to comment
Share on other sites

I have been trying to enable the 'force cookie usage' option via the control panel, so that users whose browsers accept cookies won't have to use a session id (which can create a security problem). However, when I set this to true, and go to the site to login I end up on the cookie_usage.php page which tells me that my browser won't accept cookies (which is nonsense). Anyone else had this problem and know of possible solutions to it?

 

Many Thanks - Vger

osC will try to place a cookie before using session id's as default. Enabling force cookie use stops the session id's and will not let someone who does not accept cookies use your site.

The Knowledge Base is a wonderful thing.

Do you have a problem? Have you checked out Common Problems?

There are many very useful osC Contributions

Are you having trouble with a installed contribution? Have you checked out the support thread found Here

BACKUP BACKUP BACKUP!!! You did backup, right??

Link to comment
Share on other sites

What I'm saying is that my browser has cookies enabled; I can get anywhere else online that requires cookies except my own site. The problem is with my website, not my browser. My question is, "How do I fix my osCommerce site so that browsers with cookies enabled can actually use the website when force cookie usage is set?"

 

-Mike

Link to comment
Share on other sites

Mike,

 

This "cookie not enabled" thing seems to be a problem for many people...

 

Have you tried removing all leading blanks before "setcookie" in the "tep_setcookie" function in "general.php" such as:

 

setcookie($name, $value, $expire, $path, ...etc.

instead of :

_ _ _ setcookie($name, $value, $expire, $path, ...etc.

 

- Gil

Link to comment
Share on other sites

What I'm saying is that my browser has cookies enabled; I can get anywhere else online that requires cookies except my own site. The problem is with my website, not my browser. My question is, "How do I fix my osCommerce site so that browsers with cookies enabled can actually use the website when force cookie usage is set?"

 

-Mike

I do not know what causes that problem but if you enable force cookie usage anyone that has cookies disable in their browser will not be able to shop at your site! To me this does not seem like a good thing to do as you are chasing away potential customers.

The Knowledge Base is a wonderful thing.

Do you have a problem? Have you checked out Common Problems?

There are many very useful osC Contributions

Are you having trouble with a installed contribution? Have you checked out the support thread found Here

BACKUP BACKUP BACKUP!!! You did backup, right??

Link to comment
Share on other sites

Mike,

 

Does the $cookie_domain variable in "application_top.php" resolves to something without a '.' (dot) in it ? Or with a "_" (underscore) ?

Add the line (and remove it afterwards) echo "domain:[$cookie_domain] === test:[".isset($HTTP_COOKIE_VARS['cookie_test'])."]";

after the line tep_setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $cookie_path, $cookie_domain); to check that (and don't worry about eventual error messages)

 

It seems a common problem with IE 6.x and/or XP, associated with setting a cookie on "localhost". It will take a knowlegeable person to help you (i.e. not me !). If and when you get a solution, let us know (I have the problem too when running on my local PC).

 

- Gil

Link to comment
Share on other sites

Mike,

 

I may have found the solution. At least it works for me.

 

in file "...../includes/configure.php" (make it writeable first), modify the line

define('HTTP_COOKIE_DOMAIN', '....whatever you have here...');

with

define('HTTP_COOKIE_DOMAIN', $_SERVER['HTTP_HOST']);

 

Let us know if that fixes your problem too.

 

Warning : I don't know enough about security so I just hope this is not creating a hole in the system.

 

- Gil (3 posts on this topic: time to go to bed...)

Link to comment
Share on other sites

None of the above solutions have worked for me. If anybody has anything else that has worked for their website, that would be great. Thank you!

 

-Mike

Link to comment
Share on other sites

This is a major problem, and possible bug with osCommerce. As far as I understand it, when you enable 'force cookie usage' what it should do is to set a cookie if enabled, and to use a session id if cookies are not enabled. At no time should you end up on the cookie_usage page. The reason it is essential that it works in this way is that if you have more than one person on your site at the same time it is possible for their orders to get mixed up (because of session id overlap), and it is also possible for them to end up in someone else's 'account' area. A major problem. It would be good if one of the 'team members' could give some guidance on how this is supposed to work.

 

Vger

Link to comment
Share on other sites

Vger and Mike,

 

You're not giving much info on your setup so, on top of my extremely limited knowledge of osCommerce and PHP, I can only make guesses but I assume you checked that your config.php files don't have "localhost" or other non-dotted name for the servers and cookie domains. May I suggest you give your config.php files here (without the DB_xxxxx parts).

 

Also, how do you invoke your shop in your browser ?

Which browser/version do you use ? Which OS/version ?

What is in your hosts file (somewhere in your OS path) ?

 

As for an osCommerce bug, as far as I could find out, it uses pretty straight PHP cookie functions so I doubt it but osCommerce gurus may step in and say what they think.

Link to comment
Share on other sites

My configure.php files had localhost for three servers. I changed two with no noticable effect; changing the third result in error 1046 database not found.

HTTP_SERVER from http://localhost to http://[ip address]

HTTP_COOKIE_DOMAN from http://localhost to http://[ip address]

DB_SERVER was and still is 'localhost'

 

This did not solve the problem. By the way, my installation is still pretty much 'out of the box.'

 

I'm using IE6-SP1 on WinXP-SP1.

 

My hosts file contains (besides comments) only 127.0.0.1, the localhost. I could put in my specific IP address as the localhost, but that didn't seem to change anything so I changed it back.

 

If by "invoke my shop" you mean how do I get to it, I go to "http://localhost/osc/catalog/" and then try something requiring cookies, such as "My Account" or "Buy Now!".

 

My configure.php file from catalog/includes:

 

define('HTTP_SERVER', 'http://ip.add.ress'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', ''); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', false); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'http://ip.add.ress');

define('HTTPS_COOKIE_DOMAIN', '');

define('HTTP_COOKIE_PATH', '/osc/catalog/');

define('HTTPS_COOKIE_PATH', '');

define('DIR_WS_HTTP_CATALOG', '/osc/catalog/');

define('DIR_WS_HTTPS_CATALOG', '');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', 'storedlocally/osc/catalog/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

My configure.php file from admin/includes:

 

define('HTTP_SERVER', 'http://ip.add.ress'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://ip.add.ress');

define('HTTPS_CATALOG_SERVER', '');

define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', 'storedlocally/osc/catalog/'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/osc/catalog/admin/'); // absolute path required

define('DIR_FS_ADMIN', 'storedlocally/osc/catalog/admin/'); // absolute pate required

define('DIR_WS_CATALOG', '/osc/catalog/'); // absolute path required

define('DIR_FS_CATALOG', 'storedlocally/osc/catalog/'); // absolute path required

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

I hope this helps so that you can help! Thanks! -Mike

Link to comment
Share on other sites

As far as I know the cookie domain shouldn't have the leading "http://" bit so try changing that to define('HTTP_COOKIE_DOMAIN', 'ip.add.ress');

 

Try calling your shop with http://ip.add.ress/osc/catalog/ or http://127.0.0.1/osc/catalog/ rather than http://localhost/osc/catalog/

 

if it still doesn't work, try these :

define('HTTP_SERVER', "http://".$_SERVER['HTTP_HOST']);

define('HTTPS_SERVER', '');

define('HTTP_HOME', HTTP_SERVER. "/osc/catalog/");

define('HTTP_COOKIE_DOMAIN', $_SERVER['HTTP_HOST']);

define('HTTPS_COOKIE_DOMAIN', '');

define('HTTP_COOKIE_PATH', '/osc/catalog/');

define('HTTPS_COOKIE_PATH', '/osc/catalog/');

 

and if this still fails I think I give up ! :-)

let us know how it goes.

Link to comment
Share on other sites

yes the cookie domain should not have the http:// so therefore you should have

define('HTTP_COOKIE_DOMAIN', 'ip.add.ress');

No longer giving free advice. Please place deposit in meter slot provided.  Individual: [=] SME: [==] Corporation: [===]
If deposit does not fit one of the slots provided then you are asking too much! :P

Is your Osc dated try Phoenix  raising oscommerce from the ashes.

Link to comment
Share on other sites

That was the fix; for anyone else who looks at this in the future, replace localhost with the IP address, no http://. Thanks to all who helped me!

 

Sincerely, Mike Clemson

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

Here is my 2 cents...

 

I think there IS a bug in OS Commerce, unless my logic is all wrong.

 

Around line 169, we have some code like the following:

 

// start the session

$session_started = false;

if (SESSION_FORCE_COOKIE_USE == 'True') {

tep_setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $cookie_path, $cookie_domain);

 

if (isset($HTTP_COOKIE_VARS['cookie_test'])) {

tep_session_start();

$session_started = true;

}

} elseif (SESSION_BLOCK_SPIDERS == 'True') {

 

The problem is... you can't set a cookie and expect it to be visible until the next page "load". In short, the tep_setcookie call will not have ANY bearing on isset unless the cookie was already set.

 

With my setup, I am sending the session id as a get parameter (as part of the url) in the href to any SSL page (I am using SSL). The problem is, if you click to goto a secure page on the first visit to the site, the cookie is not set and therefore the session id is unknown. The call to the SSL page will not have the session id, and when the SSL page tries to get the cookie, it will fail and display the cookie usage page. Keep in mind I need to pass the session id over manually to "bridge" the SSL and non-SSL servers as I am not using the same domain for the SSL server.

Link to comment
Share on other sites

  • 6 years later...

I'm having a similar issue with my website.

 

I enabled cookie use from admin page, but now when I go back to admin page, I can't seem to log back in to do anything. It just redirects me to the admin login page again.

 

Could someone help please ?

 

Is there a way to turn off force cookie use manually? (through database, etc...)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...