Loaded Commerce Community

I do not like having all the SID numbers show up for the phpsessionID...

/*https://host154.ipowerweb.com/~wholesal/login.php?wiz_id=b7fcc788bf*************87

how do I get it to only display...

/*https://host154.ipowerweb.com/~wholesal/login.php

Thank You.

Not sure you can disable sessions... What "security" reasons would you be referring to??

You cannot disble them in secure pages. and if you are on a shared server with shared ssl DO NOT TRY TO.

Things that can and have happened.
someone else running the same script on the same server.
customer ends up with their products instead of yours.
customer shops adds products and at checkout all products disappear from cart.
or customer shops adds products and no products added.
Customer keeps getting logged off

have I missed anything...

I THINK the only way the shop will work without the OSCID is if you store the session in database..but I haven't tried it so don't take my word for it. Sometimes I don't know what I'm talking about

Security Issues Here:
http://www.oscommerce.com/community/bugs,2197/

I'm trying to get rid of this also. I tried SID killer, but it didn't work.

I'm using
- CRE Whitelabel 6.15
- SEO URL's 3.1

Session Settings:
Force Cookie Use - True
Check SSL Session ID - True
Check User Agent - True
Check IP Address - True
Prevent Spider Sessions - True
Recreate Session - False

Has anyone fixed this yet?

Here's a prime example of the security concerns in action:

http://www.google.com/search?hl=en&q=SE ... gle+Search

This search yields a link to a store.creloaded.com user's account. Clicking the link will log you into this customers account with CRELoaded, where all previous orders (including download) and account information are available to anyone that wants to see.

Huge Problem.

so the SEO mod of chemos willl allow this? or is this the sid killer mod?

CRE SEO URL's 3.1 is a modification offered by CRE Loaded
http://store.creloaded.com/product_info ... ucts_id=45

I tried the SID Killer to get rid of the osCsid, but it did nothing, so I removed it.

This page in the OSC knowledgebase outlines the security issues.
http://www.oscommerce.info/kb/osCommerc ... ntations/4
So, I'm still trying to figure out a way to get rid of it.

If osCommerce, and CRE Loaded, can't set a cookie, it will resolve to SIDs, not matter what. So the first questions is: Can CRE set a cookie ? Show us your [php]define('HTTP_COOKIE_DOMAIN', '');[/php] from includes/configure.php. The definition says, that a cookie domain *must* contain at least 2 dots. So neither 'localhost' nor 'mydomain.com' is ok, '.mydomain.com' is.

Regarding the SID killer, it will check if the supplied SID is an active session, and if not remove the SID and open a new session. Whether this new session will be cookie based or SID based is determined as above. The SID killer is effective only when you have for example accidentially been spidered with SIDs.

Regarding the mentioned security issues: Don't believe everything you read. Sessions time out, after that no more security issue. Afaik, noone has reliably been able to reproduce exploits due to SIDs in the URL.

So, show us your HTTP_COOKIE_DOMAIN then we look at the rest.

Best,
Ted

Thank you for your response Ted. It is much appreciated. Here's what I have in my configure file.
[php]define('HTTP_COOKIE_DOMAIN', 'www.mydomain.com');[/php]

I only show the osCsid's on the first page load. Further, I only see them on the static code that I've included in the header and footer (which consists of forms and links within my site that are not part of OSC).

As far as the sessions timing out and the security risks, I've personally noticed these links a LOT while searching for OSC related issues. Not only have I noticed them, but I've clicked them and accidentally gained access to someones personal details and I'd really like to prevent this from ever happening.

Thanks again for responding.

does any one know where to find the best sid killer? im on 6.2 b2b patch 10.1

thank you

Same problem experienced here too.

Google Adwords set up 25 ads for my client, 17 of them had the session id as part of the URL.

For 6 weeks my client ended up with orders going to the wrong people or customers phoning up to say they could see someone elses details when trying to order online.

My client made it to 29,000 orders without a problem, then we had 6 weeks of chaos whilst trying to find to cause of the problem.

We changed all the Adword ads and instantly the issue stopped.

We're now trying to set up add this / share this buttons, but can already see the session id is part of the shared URL.

Is there a way to detect if someone's visiting from outside of the site and force a new session on them to prevent this?

Or am I simply handling sessions wrongly to cause this issue in the first place?

This instance is 6.2 patch 14 but also tested and seen on 6.4.1a