snubbr.com

Is Verisign SSL 5000 too much for fi btl 15?

Get a Verisign SSL certificate for 30 days FREE. Click here to use coupon...

Get a free trial of Verisign SSL certificates. Click here for this special deal...
First of all Is Verisign SSL 5000 too much for fi btl 15? Thanks in advance for any answer or 2. Another question I got... We've had our Oscommerce store (ver. 2.2 ms2) for two years and have never known about this problem until a customer contacted us saying she was able to view a friend's account after she sent a link to a friend and the friend proceeded to login from that link (using the same session id from the link, of course). Upon further research at this forum, it seems it's a known problem with sharing session ids. Now, our links.

Aren't.

Cached on Google with sessions (thankfully) as I've seen others post about, and the session id does expire after some minutes or when the user logs out, but it raises some security problems, such as - what if a logged in user posts a link on an active forum? Everyone that clicks on it gets logged into her account for at least ten minutes after she loaded that page..

So, trying to find out how to fix this-.

My previous settings were:.

Force Cookie Use False.

Check SSL Session ID False.

Check User Agent False.

Check IP Address False.

Prevent Spider Sessions True.

Recreate Session False.

I changed them to this:.

Force Cookie Use False.

Check SSL Session ID False.

Check User Agent False.

Check IP Address True.

Prevent Spider Sessions True.

Recreate Session True.

.. to validate the IP address for every session, which worked fine for a few days, until a customer contacted us to say she was getting redirected to login on every page. Apparently Singnet (Singapore ISP) works as a proxy similar to AOL and users get a new IP address with every page they load (I can't find out if AOL still works like this or not). So now that 'check IP address' is turned out, I'm excluding all users using this ISP every time their IP address changes..

I can't turned on forced cookies, apparently because I'm using shared SSL..

So is there any way to get rid of the Oscid in the browser? I've found.

This.

, which I don't think would solve the problem if the user is logged in when she copies & pastes a link..

What does "recreate session" do exactly?.

Is a private SSL required to be able to turn off the Oscid from the browser?.

Thanks in advance for any suggestions. I'm looking for the best solution to fix this security issue and thought I'd ask for some advice or any helpful contributions I might have missed...

Comments (88)

The answer is Yes, but you might want to make sure and wait for someone else here to confirm it as I am on the fence. Better yet, why don't you give a call to the Verisign guys because they can assist you better...

Comment #1

Hi! Thanks a lot for commenting..

I've used those settings, and config file has persistent connections set to false, and I still get Oscid (the same one, never changes even when logging in), on every link I click, so I'm not sure how to get rid of that thing..

Wondering if I get a private SSL and use force cookies, if that would take care of everything....

Comment #2

Persistent connections are nothing to do with this (and should be off).

Persistent osCsid means that your includes/configure.php file is wrong. (probably the admin one too).

Force cookie use is an ideal but you have to have a full certificate, http and https domains exactly the same. You also have to bear in mind that customers browsing your Verisign site with cookies set to off will not be able to buy from you..

This post has been edited by.

FWR Media.

: 07 December 2008, 11:30..

Comment #3

Dear Robert,.

I too have tried setting recreate sessions to True and found that the osCid stays the same when loggin on. So what about the configure.php file could be wrong to cause this? Please specify what you mean. Thank you very much..

Regards.

Alex..

Comment #4

The following uses the very first 9 lines of includes/configure.php, this does not relate to the admin configure file (although there are significant similarities)..

Option one - the shop is in root e.g. www.mysite.com.

Define('HTTP_SERVER', 'http://www.mysite.com');.

Define('HTTPS_SERVER', 'https://www.mysite.com'); // This depends on the set up of the certificate.

Define('ENABLE_SSL', true); // false if you have no certificate.

Define('HTTP_COOKIE_DOMAIN', 'www.mysite.com');.

Define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com'); // depends on the cert settings.

Define('HTTP_COOKIE_PATH', '/');.

Define('HTTPS_COOKIE_PATH', '/');.

Define('DIR_WS_HTTP_CATALOG', '/');.

Define('DIR_WS_HTTPS_CATALOG', '/');.

Define('DIR_WS_IMAGES', 'images/');.

Option Two - the shop is not in root but in a directory e.g. www.mysite.com/catalog/.

Define('HTTP_SERVER', 'http://www.mysite.com');.

Define('HTTPS_SERVER', 'https://www.mysite.com'); // This depends on the set up of the certificate.

Define('ENABLE_SSL', true); // false if you have no certificate.

Define('HTTP_COOKIE_DOMAIN', 'www.mysite.com');.

Define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com'); // depends on the cert settings.

Define('HTTP_COOKIE_PATH', '/catalog/');.

Define('HTTPS_COOKIE_PATH', '/catalog/');.

Define('DIR_WS_HTTP_CATALOG', '/catalog/');.

Define('DIR_WS_HTTPS_CATALOG', '/catalog/');.

Define('DIR_WS_IMAGES', 'images/');.

Hope that helps..

This post has been edited by.

FWR Media.

: 17 December 2008, 10:46..

Comment #5

Thanks for the prompt reply. My configure.php looks pretty much like the first option you listed, except I have ENABLE_SSL false and HTTP_SERVER set to https:// because my whole Verisign site is SSL. This change is recent though and I had the problem with carts crashing before. The only other difference is that I have.

Https://mysite.com.

In the COOKIE_DOMAINs instead of www and I don't have www in the HTTP_SERVER. See below..

Define('HTTP_SERVER', 'https://mysite.com');.

Define('HTTPS_SERVER', 'https://mysite.com');.

Define('ENABLE_SSL', false);.

Define('HTTP_COOKIE_DOMAIN', 'https://mysite.com');.

Define('HTTPS_COOKIE_DOMAIN', 'https://mysite.com');.

Define('HTTP_COOKIE_PATH', '/');.

Define('HTTPS_COOKIE_PATH', '/');.

Define('DIR_WS_HTTP_CATALOG', '/');.

Define('DIR_WS_HTTPS_CATALOG', '/');.

Define('DIR_WS_IMAGES', 'images/');.

I can see where the osCommerce code recreates the session and copies over the backed up one, but I can only see the actual session id set once in application.top. If I could find the actual bit of code that changes the osCid I'd be able to figure out why the recreate sessions flag isn't working for me..

Do you have any more ideas, clues, suggestions please?.

Thanks.

Alex..

Comment #6

No it is not the same as my first one, in fact it is totally wrong..

Before looking into the oscommerce code (which works perfectly well) you need to look at your own settings..

Firstly it is utter madness to have SSL throughout the whole shop, it's slow, it creates load, it doesn't get indexed (very well), it is thoroughly unnecessary..

Define('HTTP_SERVER', 'http://mysite.com');.

Define('HTTPS_SERVER', 'https://mysite.com');.

Define('ENABLE_SSL', true);.

Define('HTTP_COOKIE_DOMAIN', 'mysite.com');.

Define('HTTPS_COOKIE_DOMAIN', 'mysite.com');.

Define('HTTP_COOKIE_PATH', '/');.

Define('HTTPS_COOKIE_PATH', '/');.

Define('DIR_WS_HTTP_CATALOG', '/');.

Define('DIR_WS_HTTPS_CATALOG', '/');.

Define('DIR_WS_IMAGES', 'images/');.

The above supposes that your Verisign certificate is issued to mysite.com and not www.mysite.com...

Comment #7

Dear Robert,.

Thanks for your reply. Since I posted this I changed the cookie Verisign domain to '.mysite.com', but with a dot in front of it on the advice given by another thread on this same subject. Do you think this dot makes any difference?.

I didn't mean that I thought there was anything wrong with the osCommerce code. I just thought if I could read and understand the bit of code that resets the osCid, I'd be able to work out what I have set up wrong..

Can you tell me why it doesn't get indexed very well through SSL?.

Thank you.

Regards.

Alex..

Comment #8

We've had our Oscommerce store (ver. 2.2 ms2) for two years and have never known about this problem until a customer contacted us saying she was able to view a friend's account after she sent a link to a friend and the friend proceeded to login from that link (using the same session id from the link, of course). Upon further research at this forum, it seems it's a known problem with sharing session ids. Now, our links.

Aren't.

Cached on Google with sessions (thankfully) as I've seen others post about, and the session id does expire after some minutes or when the user logs out, but it raises some security problems, such as - what if a logged in user posts a link on an active forum? Everyone that clicks on it gets logged into her account for at least ten minutes after she loaded that page..

So, trying to find out how to fix this-.

My previous settings were:.

Force Cookie Use False.

Check SSL Session ID False.

Check User Agent False.

Check IP Address False.

Prevent Spider Sessions True.

Recreate Session False.

I changed them to this:.

Force Cookie Use False.

Check SSL Session ID False.

Check User Agent False.

Check IP Address True.

Prevent Spider Sessions True.

Recreate Session True.

.. to validate the IP address for every session, which worked fine for a few days, until a customer contacted us to say she was getting redirected to login on every page. Apparently Singnet (Singapore ISP) works as a proxy similar to AOL and users get a new IP address with every page they load (I can't find out if AOL still works like this or not). So now that 'check IP address' is turned out, I'm excluding all users using this ISP every time their IP address changes..

I can't turned on forced cookies, apparently because I'm using shared SSL..

So is there any way to get rid of the Oscid in the browser? I've found.

This.

, which I don't think would solve the problem if the user is logged in when she copies & pastes a link..

What does "recreate session" do exactly?.

Is a private SSL required to be able to turn off the Oscid from the browser?.

Thanks in advance for any suggestions. I'm looking for the best solution to fix this security issue and thought I'd ask for some advice or any helpful contributions I might have missed...

Comment #9

Force Cookie Use False.

Check SSL Session ID False.

Check User Agent False.

Check IP Address False.

Prevent Spider Sessions True.

Recreate Session True.

The above should work perfectly as long as your config files are correctly set and you therefore do not have a persistent osCsid (i.e. osCsid dissappears after one or two clicks)..

Recreate session should be set to true as it rebuilds the session id whenever there is a change of state for the customer session (i.e. logging in)...

Comment #10


This question was taken from a support group/message board and re-posted here so others can learn from it.

 

Categories: Home | Diet & Weight Management | Vitamins & Supplements | Herbs & Cleansing |

Sexual Health | Medifast Support | Nutrisystem Support | Medifast Questions |

Web Hosting | Web Hosts | Website Hosting | Hosting |

Web Hosting | GoDaddy | Digital Cameras | Best WebHosts |

Web Hosting FAQ | Web Hosts FAQ | Hosting FAQ | Hosting Group |

Hosting Questions | Camera Tips | Best Cameras To Buy | Best Cameras This Year |

Camera Q-A | Digital Cameras Q-A | Camera Forum | Nov 2010 - Cameras |

Oct 2010 - Cameras | Oct 2010 - DSLRs | Oct 2010 - Camera Tips | Sep 2010 - Cameras |

Sep 2010 - DSLRS | Sep 2010 - Camera Tips | Aug 2010 - Cameras | Aug 2010 - DSLR Tips |

Aug 2010 - Camera Tips | July 2010 - Cameras | July 2010 - Nikon Cameras | July 2010 - Canon Cameras |

July 2010 - Pentax Cameras | Medifast Recipes | Medifast Recipes Tips | Medifast Recipes Strategies |

Medifast Recipes Experiences | Medifast Recipes Group | Medifast Recipes Forum | Medifast Support Strategies |

Medifast Support Experiences |

 

(C) Copyright 2010 All rights reserved.