2009/08/31

Check Referrer Sessions Option

Filed under: osCommerce Coding,osCommerce Community — Tags: , , , — eCartz @ 20:16  Share/Bookmark  Delicious  StumbleUpon  WordPress  Twitter  LinkedIn

A situation that was mentioned on the osCommerce forums recently started me thinking.  Currently, if someone has cookies disabled, then the osCsid (the osCommerce session ID) appears in the URL.  If such a person logs in and then emails a link to someone else, the osCsid will be included in that URL (unless they remove it manually).  If the recipient clicks on the link, they will get the sender’s session and be able to do things like view past orders, add new addresses, or checkout on their account. 

One suggestion to resolve this was to set Recreate Sessions to true.  While that is a good setting, it only helps if the user was not logged in at the time the link was sent or if the link is used after the login session has expired.  Another suggestion is to check IP address, but that breaks people on proxies.  Another suggestion is to check the user agent setting, but that won’t prevent the situation where both people use browsers that happen to pass the same user agent string. 

I went back to the initial problem.  If someone is logged in and browsing with a session ID in the URL, they will always have a referrer on the osCommerce site.  If they leave the osCommerce site, then they will lose the session (which is one reason why cookies are preferable).  Therefore, if their browser sends a referrer, the referrer will be on the osCommerce site.  By contrast, the recipient of our hypothetical email will always have a blank referrer. 

Can we simply check for blank referrers?  Not really, it is possible to configure browsers not to send a referrer.  If we block sessions for people without referrers, we will prevent login by anyone who has a blank referrer.  Also, although we have been talking about email, there are other ways to share links, e.g. posting on a website or tweeting.  In those cases, the link will have a referrer, it just won’t be osCommerce.  So we need to check to see if the referrer is osCommerce and we need to allow for legitimate blank referrers. 

My proposal is that if someone comes to the site with the referrer set, osCommerce will check to see if they have a session open.  If so, osCommerce will see if they have a referrer set for the session.  If not, then osCommerce will set the referrer.  Now, if someone sends a request to osCommerce with a blank referrer, we can check to see if there is a referrer set in the session.  If there is, then we can surmise that this is a new person, so we regenerate and clear the session.  Further, if someone comes to osCommerce with a set referrer, the referrer is not osCommerce, and they have a session ID in the URL, we can regenerate and clear the session as well. 

This covers: 

  1. The case where a link is emailed with the session ID.
  2. The case where a link is posted externally with the session ID.
  3. The case where someone sends a blank referrer on every request.
  4. The case where someone is browsing through the site normally and sending  a referrer.

We are left with an odd edge case, where someone who browses without a referrer emails a link to someone else with the session ID in it.  In that case, the code would still fail, and they will share a session.  You can slightly reduce this risk by checking the user agent. 

Code: 

 PHP |   copy code |? 
247
// only trust a session ID from the URL if refered
248
// from this site
249
  if ( isset($HTTP_SERVER_VARS['HTTP_REFERER']) || tep_session_is_registered('first_referred_by') ) {
250
    $referrer = parse_url($HTTP_SERVER_VARS['HTTP_REFERER']);
251
    if ( ( HTTP_COOKIE_DOMAIN != substr('.' . $referrer['host'], -1 * strlen(HTTP_COOKIE_DOMAIN)) )
252
      && ( HTTPS_COOKIE_DOMAIN !=  substr('.' . $referrer['host'], -1 * strlen(HTTPS_COOKIE_DOMAIN)) )
253
      && ( $SID == tep_session_name() . '=' . $HTTP_GET_VARS[tep_session_name()] )
254
       ) {
255
      if ( function_exists('session_regenerate_id') ) {
256
        session_regenerate_id();
257
        $SID = (defined('SID') ? SID : '');
258
        if ( isset($HTTP_GET_VARS[tep_session_name()]) ) unset($HTTP_GET_VARS[tep_session_name()]);
259
        $_SESSION = array();
260
      }
261
    }
262
 
263
    if ( isset($HTTP_SERVER_VARS['HTTP_REFERER']) && ! tep_session_is_registered('first_referred_by') ) {
264
      tep_session_register('first_referred_by');
265
      $first_referred_by = $HTTP_SERVER_VARS['HTTP_REFERER'];
266
    }
267
  }

This has also been posted in the osCommerce Tips & Tricks forum.

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

You can log in to post a comment, or just fill out your name and email.

Powered by WordPress