Vger

This has been really bugging me. Those of you who use osCommerce will know that with each link there's a horrendously huge session id appended, which can be a problem when search engines trawl the site. Some (Google for one) won't properly index your site wit this feature. It's also true that if you haven't set 'Prevent spider sessions' to true in your admin section - spiders will create session ids, and it can appear that you've made hundreds of sales.

But the most worrying thing is that these session ids can get mixed up if you have a number of people on your site at the same time - and people have ended up logging into their account to find themselves looking at the details of someone else's account - not good!

The answer to both these problems is to turn on 'Force cookie use' in the admin panel. This replaces those session ids with cookies. But myself, and a lot of other people have not been able to get this feature to work. With this feature turned on whenever you tried to Login or Create An Account you ended up on the cookie_usage.php page which told you that you did not have cookies enabled in your browser (even when you did).

That is , until now! I have finally cracked it! It turned out to be a simple (agh agh) configuration problem. So, if anyone else is stuck with this then pm me and I'll tell you what the settings should be.

Hope this helps - Vger

__________________
Working with computers is a bit like getting old - the longer you're around the more wrinkles you find!

Robin

Hi,
I am using the config files you kindly fixed up for me. I have finally found some time to work on the site and all seems ok other than when I go to log on. Then the cookie usage screen comes up, but if I hit continue and try to logon again it works and the logon screen appears. This works fine until I clear the browser cache and cookies. Then back to square 1 again.and the cookie usage screen. Any advice would be welcome please.
Robin

Vger

I should have posted the solution here anyway. Basically, this is the problem -

Provided that the config files are otherwise set up correctly, it is a cookie setting problem in the includes/configure.php file

This is the code I was using (this is for a shared ssl)

It should just have been left empty, as in

And this is the same for a full ssl.

But, in your case, it does sound as though there is something else going on. If the above does not work for you then send me your config files and I'll take a look at them for you admin[at]terranetwork.net

Hope this helps - Rhea

__________________
Working with computers is a bit like getting old - the longer you're around the more wrinkles you find!

Robin

Thanks Rhea,
I am using the config files you sent me before and I can't see any problems there.
This is where it gets weird: I have narrowed down the problem some more. It works perfectly If I hit the "my accoount " link and goes straight to the login screen. It is only if I hit the"log yourself in" link in the default home page text that I get the cookie usage screen.
It works fine with sessions and with SSL set to false. Maybe it is a bug. Has anyone tried hitting the "log yourself in " link with a clean cache using a shared SSL and cookies forced? I have tried using IE6 and firefox. That cookie usage screen is getting way to familiair a sight I am having dreams about it.
Rob

Vger

Okay. When I first set this up (successfully) it was for a site running a full ssl. But then I also set it up on three other sites using the united hosting shared ssl. None of them have any problems - all of them work fine. This applies to Login, Create an account, and to My Account. This is the includes/configure.php file I use for a shared ssl - can't remember now if it is different from what I originally posted (but don't think so). However, I will check those posts out and amend if necessary. It is for an install in the root directory.
Hope this helps - Rhea

__________________
Working with computers is a bit like getting old - the longer you're around the more wrinkles you find!

Robin

many thanks again I am going to sort this if it kills me .It's kinda simple in a complicated way.
It is good to know that a result is achieveable.
Rob

Robin

Hi,
this explains exactly why I am having the problem as far as I can work out: http://wiki.oscommerce.com/proposalSecurityAndPrivacy
I am intrigued as to how you got it to work where I cannot and the statement says it should not work as cookies are specific to domains.
my config files are:

<?php
/*
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com

Copyright (c) 2003 osCommerce

Released under the GNU General Public License
*/

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
define('HTTP_SERVER', 'http://www.mydomain.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://talon.xssl.net/mydomain.com'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL',true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'www.mydomain.com');
define('HTTPS_COOKIE_DOMAIN', '');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
define('DIR_FS_CATALOG', '/var/www/html/');
define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

// define our database connection
define('DB_SERVER', '127.0.0.1'); // eg, localhost - should not be empty for productive servers
define('DB_SERVER_USERNAME', '****');
define('DB_SERVER_PASSWORD', '******');
define('DB_DATABASE', 'mydomain_com_-_oscommerce');
define('USE_PCONNECT', 'false'); // use persistent connections?
define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' ?>

<?php
/*
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com

Copyright (c) 2003 osCommerce

Released under the GNU General Public License
*/

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
define('HTTP_SERVER', 'http://www.mydomain.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTP_CATALOG_SERVER', 'http://www.mydomain.com');
define('HTTPS_CATALOG_SERVER', 'https://talon.xssl.net/mydomain.com');
define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module
define('DIR_FS_DOCUMENT_ROOT', '/var/www/html/'); // where the pages are located on the server
define('DIR_WS_ADMIN', '/control/'); // absolute path required
define('DIR_FS_ADMIN', '/var/www/html/control/'); // absolute pate required
define('DIR_WS_CATALOG', '/'); // absolute path required
define('DIR_FS_CATALOG', '/var/www/html/'); // absolute path required
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

// define our database connection
define('DB_SERVER', '127.0.0.1'); // eg, localhost - should not be empty for productive servers
define('DB_SERVER_USERNAME', '*****');
define('DB_SERVER_PASSWORD', '*****');
define('DB_DATABASE', 'mydomain_com_-_oscommerce');
define('USE_PCONNECT', 'false'); // use persisstent connections?
define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' ?>

Maybe that statement is old and something has changed
Robin

Vger

I can see what you mean by that link - according to which the 'force cookie use' should not work on a shared ssl. However I do have it working on three shared ssl's and one full ssl. The only differences I can see in your config files and mine are quite minor, but they may make a difference.

Where it says (in your file) ENABLE_SSL',true there is no space between the comma and true. In my file that space is includd, and reads ENABLE_SSL', true

In your two config files on each final line the '?>' is at the end of the line. On my config files, and all original config files, the close php command comes one line below, on its own seperate line. This should not make a difference, but perhaps it does. Also, check on both of your config files that there are no 'white spaces' after that closing php statement. If there is even one extra space it will screw things up.

Hope this helps - Vger

__________________
Working with computers is a bit like getting old - the longer you're around the more wrinkles you find!

Robin

Many thanks Rhea.
I will implement those changes. I think they are only in the pasted version I posted here as I word wrapped it before I copied it. I have reinstalled oscommerce a few times and reinstalled the site twice trying to fix this.
You know it will be the simplest smallest thing that was wrong. It's one of those situations where you learn loads more things than you would have if it worked right first time.
That must be a good thing he said trying to convince himself.
Robin

Vger

Robin - write to me at admin[at]terranetwork.net. If you are willing to trust me with the info, username and password for ftp, osCommerce 'admin' etc, I'll take a look at your files for you. We are both on the same system, so it should work for you the way that it does for me.

Rhea

__________________
Working with computers is a bit like getting old - the longer you're around the more wrinkles you find!

tpersky

Hello. I used your fix Vger on my own site, and with forced cookies set as "on" in OScommerce, it seems to work correctly now. Instead of hitting the forced cookie "page" it now takes me to my https://... secure area.

However I have noticed one thing... Let's say I log in as a customer, and I'm in the https:// secure area, but for some reason I click on one of the main category areas of my site, it kicks me right back out to an unsecure site. Is there a way to make sure that once someone logs into their account, and then they click on the area outside, they stay in the secure area?

Just curious... If there is not a way, then thats fine.

I also read here about how shared SSL certificates sometimes don't work well with forced cookie sessions. I am also on a Shared SSL.

http://www.oscommerce.info/kb/osComm...lementations/4

Any help or advice would be appreciated.

tpersky

Quick Addendum here. In reference to my post about staying on the secure SSL area once logged into the store as a member, it seems it's ok I suppose. I just realized that even though when I surf other products it was back at an unsecure site, when i hit checkout... it brought me back to the https area.

Vger

Moving between the secure and non-secure areas of the site is normal behaviour - only certain areas of the site needing to be on https.

My knowledge has moved on since this thread first began, and basically the Force Cookie Use feature checks the http domain against the https domain and they must match. You can get around this by using (in your includes/configure.php file) the shared address for both http and https connections e.g. http://servername.xssl.net/yourdomain.com and https://servername.xssl.net/yourdomain.com (that's for a reseller account). For a non-reseller account substiture xssl.net with unitedhosting.co.uk

Vger

__________________
Working with computers is a bit like getting old - the longer you're around the more wrinkles you find!

tpersky

Ok. So out of the code below...

Are these 2 lines the ones your referring to?

define('HTTP_SERVER', 'http://mydomain.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://mydomain.authsecure.com'); // eg, https://localhost - should not be empty for productive servers


/ Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
define('HTTP_SERVER', 'http://mydomain.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://mydomain.authsecure.com'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'gamesoftco.com');
define('HTTPS_COOKIE_DOMAIN', '');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

Vger

Those are the lines I refer to, but what's that got to do with hosting on UH's shared ssl cert? It appears from those lines that the site is hosted elsewhere.

Vger

__________________
Working with computers is a bit like getting old - the longer you're around the more wrinkles you find!

tpersky

I had no Idea this was strictly a site for UH customers. I have over 200 servers located with different providers at different datacenters. I was simply trying to find a fix with one of my OS commerce sites. Thanks for the info.

Vger

The forum is not just for UH customers, but as we know how UH servers and their ssl facilities work it's easier to advise.

Vger

__________________
Working with computers is a bit like getting old - the longer you're around the more wrinkles you find!

Andy

Would be handy if UH customers were identified as being customers really. It does say in the logo "United Hosting Customer Community" in the logo in smaller print. It's interesting though how non-UH-customers end up here. I guess Google must be the biggest source of non-customers getting here. I've even accidentally come across my own posts on this forum high up in Google before.

Andy

Bocuma

*Laughs at Andy* Quite surprising to find something you think is relevant just ends up being yourself in Google.
(sorry off-topic)

Would not having a domain set on the cookies cause a security problem? Any web site visited would have access to the info stored in the cookie.

It's an interesting thread this one - I'll investigate osCommerce a bit more and see if I can come up with anything.

__________________
Kind regards,

Bocuma

BroadcastMagic
Free newsletter & e-zine publishing
www.broadcastmagic.co.uk

------
"Some mornings it just isn't worth chewing through the straps"

jackit

Having been surfing on this issue quite a while and still couldn't come up any solution. Any news for this thread?