[ic] CookieDomain problem and solution

Sandy Thomson sandy at scotwebshops.com
Thu Dec 9 11:43:32 EST 2004 

Hi,
We have multiple catalogs. Each catalog tends to have its own domain 
(A,B,C ...), but the checkout area for all of the catalogs is hosted on 
a single domain (Z,because of the extorsionate price of secure 
certificates).

However some customers were doing the following:
Look at site A, store session id 1 in cookie
Look at secure domain Z, get session id 1 in secure cookie
Look at site B, store session id 2 in cookie
Look at secure domain Z, restore session id 1 from cookie (Bad)

At least this is what i think was going on. I think that the A domain 
cookie was supposed to encapsulate the Z domain too but this wasn't 
happening in practise.

Anyway I decided to set the CookieDomain directive on our sites to the 
non secure domains (A,B,C), but we still host sites for other people who 
use cookies on the secure domain as well so this is not ideal.

If both the non secure domains (A,B,C ...), and the secure domain (Z) 
had conflicting cookies, when you go from the B (browsing) to Z 
(checkout) interchange will:
1) Ignore any ?id= or mv_session_id= parameters passed to it
2) Ignore the secure domain cookie because it thinks it has expired/not 
in CookieDomain
3) Generate a completely new session Id
4) As a result customers would lose all the contents of their basket etc

I changed this to:
1) Ignore the secure domain cookie if it isn't in CookieDomain
2) Try and retain the id that was passed to the page

Diffs attached for lib/Vend/Dispatch.pm. Its a bit custom for us but 
might be worth a look in.

Sandy.
-------------- next part --------------
1152c1152,1164
< 		$sessionid = $1
---
> 		
> 		my $cookiedomains = $Vend::Cfg->{CookieDomain};
> 		my $verytmpsessionid = $1;
> 		my $cookiehost=$3;
> 		my $cookieuser=$4;
> 		
> 		my $scripthostcheck=$CGI::script_name;
> 		
> 		$scripthostcheck=~s/^www\.//;
> 		$scripthostcheck=~s/[:|\/].*$//;
> 
> 		if($cookiedomains=~/$scripthostcheck/){
> 		$sessionid = $verytmpsessionid
1154,1155c1166,1167
< 		$CGI::cookiehost = $3;
< 		$CGI::cookieuser = $4;
---
> 		$CGI::cookiehost = $cookiehost;
> 		$CGI::cookieuser = $cookieuser;
1156a1169,1171
> #		}else{
> #		::logGlobal("Avast! No id for you dodgy cookie from domain I am looking at but not in CookieDomain!");
> #		}

More information about the interchange-users mailing list