OSCOMMERCE SUPPORT CALL 702-453-3332
 

Help - Search - Members - Calendar
Full Version: Remove osCommerce Session ID without Forcing Cookie Use
osCommerce Community Support Forums > osCommerce Online Merchant v2.x > Tips and Tricks
Vger
Dec 22 2006, 04:52 PM
Experienced users will know that osCommerce, even without 'Force Cookie Use' will stop displaying the osCommerce session id within one or two clicks of landing on a website - but this period is enough time for a Search Engine to generate a session id, unless it is listed in includes/spiders.txt and 'Prevent Spider Sessions' is set to 'true' in osCommerce admin.

This tip is a workaround for that. Unfortunately, like Force Cookie Use it won't work with a shared ssl - which would have yielded the greatest benefits to people. However, it has been tested online and offline on the latest version of osCommerce using no SSL and full SSL.

Agh! But experienced users will say "If we use no SSL or full SSL then we can turn on Force Cookie Use and get rid of the session id that way - so what use is this?". The answer is that not everyone will want to turn on Force Cookie Use because it will cost them a few customers here and there.

Okay, that's the reasoning, so what's the fix?

If your site is hosted on an Apache server with Mod Rewrite enabled you should be able to install Chemo's "Ultimate SEO URL's" contribution. With one minor edit, to one file, this will allow you to remove the session id from the address bar.

In the modification for Ultimate SEO URL's to includes/functions/html_output.php you'll find this piece of code:
CODE
$add_session_id = true

and you change it to:
CODE
$add_session_id = false


The session id does appear in the sessions table in the database, but not in the page address.

Remember, if tempted to use this.

1. It doesn't work with shared SSL!
2. It doesn't work on Windows servers (because Ultimate SEO URL's doesn't work on Windows servers)
3. Apache servers must have Mod Rewrite enabled
4. You must, of course, install Ultimate SEO URL's, with the minor code alteration

Vger
rumi
Jan 4 2007, 06:44 PM
Hi Vger,
I just installed Ultimate SEO urls v21da and get this message when I go to my store:
Fatal error: Call to a member function on a non-object in /var/www/html/includes/header.php on line 14

Any thoughts.

Thanks
Vger
Jan 4 2007, 06:51 PM
You haven't installed Ultimate SEO URL's correctly, or else you are on a Windows server.

Vger
rumi
Jan 4 2007, 07:20 PM
Hi Again,
Another problem: when in Admin, after clicking on "Categories: I get this message--

1054 - Unknown column 'cd.categories_seo_url' in 'field list'

select c.categories_id, cd.categories_name, cd.categories_seo_url, c.categories_image, c.parent_id, c.sort_order, c.date_added, c.last_modified from categories c, categories_description cd where c.parent_id = '0' and c.categories_id = cd.categories_id and cd.language_id = '1' order by c.sort_order, cd.categories_name


I forgot to mention that I have STSv4.3.3 on a new install of osc 2.2MS2

Thank You
rumi
Jan 4 2007, 07:23 PM
Sorry, I didnt see your last post before I posted again. I am on Apache + MOD with a full SSL. I suspect I need to make some additions to the SQL Database?

Hope you had a nice Holiday.
rumi
Jan 4 2007, 07:43 PM
I went in to Admin>Configurations and SEO URLs in there. There are alot of settings set already. The only change I made was enableing the cPath from False to True. So that Im not bothering you, do you know of a support thread where no doubt these questions have already been addressed?

Marion
Vger
Jan 4 2007, 10:24 PM
Ultimate SEO URL's installs itself as soon as the site is launched following the install. However, it rewrites 'on the fly' so makes no change to the database and for this reason you shouldn't be getting the error you are getting. Back to my earlier point - it looks as though you haven't installed it correctly.

Unfortunately the person who wrote this great contribution is banned from the forums. There may be an official support thread for it but as to who would be responsible now for answering questions on it I don't know.

Vger
rumi
Jan 5 2007, 02:12 AM
Im considering un-installing it. But first I will post a topic to see if I can get some advice concerning the header.php error. Since I overwrote some files, I wonder if I have to un-install all of osc?

Please No
reflous
Jan 5 2007, 12:59 PM
Vger, search engines have definitely picked up my osCid and I'd like to get rid of it. However, I don't really understand what this mod does. I see from the code that the session id will no longer be appended to the $link (url) but what are the implications of this? How does the session id get properly carried forward for users if this is turned off?

Thanks!
reflous
Jan 5 2007, 01:13 PM
QUOTE (reflous @ Jan 5 2007, 12:59 PM) *
Vger, search engines have definitely picked up my osCid and I'd like to get rid of it. However, I don't really understand what this mod does. I see from the code that the session id will no longer be appended to the $link (url) but what are the implications of this? How does the session id get properly carried forward for users if this is turned off?


Sorry, just to add to this. I disabled cookies and set all instances of $add_session_id to false and then oscommerce stops working. You can't add products to the shopping cart anymore. Did I do something wrong, or is this just a mod to force the use of cookies?
Vger
Jan 5 2007, 01:40 PM
Sorry - I made a mistake. I thought this mod just removed the session id from the address bar - but what it is actually doing is removing it completely and so forcing cookie use via another method.

Back to the drawing board!

Vger
BugReport
Jan 5 2007, 05:47 PM
QUOTE (reflous @ Jan 5 2007, 07:59 AM) *
Vger, search engines have definitely picked up my osCid and I'd like to get rid of it. However, I don't really understand what this mod does. I see from the code that the session id will no longer be appended to the $link (url) but what are the implications of this? How does the session id get properly carried forward for users if this is turned off?

Thanks!

How to remove session ID appended URLs from the search engine index
Vger
Jan 5 2007, 05:59 PM
Nice one!

Rhea
tabathasiren
Oct 27 2007, 06:51 AM
worked like a charm:) Just the nugget I was looking for..
blagger
Oct 30 2007, 02:25 PM
QUOTE (Vger @ Jan 5 2007, 01:40 PM) *
Sorry - I made a mistake. I thought this mod just removed the session id from the address bar - but what it is actually doing is removing it completely and so forcing cookie use via another method.

Back to the drawing board!

Vger


Rhea

Have you managed to come up with a solution , I have ultimate seo url's installed, but need to get rid of the oscsid.
baddog
Jan 6 2008, 11:17 PM
QUOTE (blagger @ Oct 30 2007, 09:25 AM) *
Rhea

Have you managed to come up with a solution , I have ultimate seo url's installed, but need to get rid of the oscsid.

Has anyone tried this: Session Start Mod
eitai2001
Jun 9 2008, 10:09 PM
Hi guys.

I found something that seemed to work perfectly for me, and now I don't see the oscID unless cookies are disabled in my browser.
Here is the post I found that helped me out:
QUOTE
Right guys,

Not 100% up to speed on this yet but after reaching 99% I did do a couple of celebratory laps of the sitting room!! Yes, the sitting room is where I get most of the proper work done - I spent all day at the shop just sorting out orders, replying to probably dead end e-mails and the rest of the standard shop work!! How I am ever going to compete with Amazon I will never know!

Still the major breakthrough has been made, only one potential problem left which I will mention at the end.

Ok, Sessions.....

It would appear to me that a very large number of users do not have OScommerce configured correctly (Including myself). I assumed that every user was issued a (visible) session ID. All the OScommerce sites I had visited, and that is a lot of sites since I have been working on mine, have issued me with a session ID in the URL. Now, this does not need to happen so long as cookies are enabled on the users browser. The 2.2 ms version of OScommerce (dont know about previous versions) is very clever.... Once a new customer visits your site, OSc will try to reply to the customer with cookies enabled, if it does not recieve the response it wants, ie cookies are disabled, then and only then will it assign the user a session ID.

This make sense so far? It took me some bl**dy working out.

Now, knowing that generally speaking sessions are a bad idea security wise for your site/customers (they are open to abuse if another user can access the same open session), OSc will use cookies when it can. You know it is using cookies when the URL does not contain a reet big long OSCid number.

So, what are the correct settings for your config file, I hear you ask!

Well, mine is now,

define('HTTP_SERVER', 'http://www.mydomain.co.uk'); // eg, <http://localhost> - should not be empty for productive servers
define('HTTPS_SERVER', 'https://www.mydomain.co.uk'); // eg, <https://localhost> - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'mydomain.co.uk');
define('HTTPS_COOKIE_DOMAIN', 'mydomain.co.uk');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');

And all appears well. I would say things get a little more confusing if you are on a shared SSL but if anyones interested I could probably find and post the answers here later (when I get a spare five minutes!)

OK, so to summarise so far, if, in your admin you have FORCE COOKIE USE set to FALSE, any users with cookies enabled should see a nice short URL and if the customer has cookies disabled they will see a chuffing great long URL with a session id tagged on the end.

So going back to my original post about how to set up the SESSIONS in admin, I guess its better to not set FORCE COOKIE USE to true, as this will certainly prevent AOL users, amongst others from accessing your shop (Cheers Rhea for that pointer).

Everything I have read indicates that PREVENT SPIDER SESSIONS must be set to TRUE as a matter of security.

As far as the rest of the settings go, not sure yet!! Will try and do a bit more reading.

If I am going over old ground for you experienced hands, please put me out of my misery and save me a bit of time by letting me know the best set up!


Right, after creating the worlds longest post tonight I think I am going to clear off to bed - The only thing left to explain is why I have not implemented these new settings on my site. Well, it all boils down to my old friend the HSBC secure e-payments!! I have hard coded (I think thats the correct techie term) a session id into the return post from the HSBC site, Doh!! It was the only way I could get it working at the time. Now, how this is going to be affected by using cookies I am not quite sure and am certainly not prepared to think about or try to change after a half a bottle of Johnny Walker - Thats a job for another day (when I get another spare five minutes).

Cheers for now.
Richard.


Regards

Itai
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.