[ic] CookieDomain problem and solution
Sandy Thomson
sandy at scotwebshops.com
Thu Dec 9 11:43:32 EST 2004
Hi,
We have multiple catalogs. Each catalog tends to have its own domain
(A,B,C ...), but the checkout area for all of the catalogs is hosted on
a single domain (Z,because of the extorsionate price of secure
certificates).
However some customers were doing the following:
Look at site A, store session id 1 in cookie
Look at secure domain Z, get session id 1 in secure cookie
Look at site B, store session id 2 in cookie
Look at secure domain Z, restore session id 1 from cookie (Bad)
At least this is what i think was going on. I think that the A domain
cookie was supposed to encapsulate the Z domain too but this wasn't
happening in practise.
Anyway I decided to set the CookieDomain directive on our sites to the
non secure domains (A,B,C), but we still host sites for other people who
use cookies on the secure domain as well so this is not ideal.
If both the non secure domains (A,B,C ...), and the secure domain (Z)
had conflicting cookies, when you go from the B (browsing) to Z
(checkout) interchange will:
1) Ignore any ?id= or mv_session_id= parameters passed to it
2) Ignore the secure domain cookie because it thinks it has expired/not
in CookieDomain
3) Generate a completely new session Id
4) As a result customers would lose all the contents of their basket etc
I changed this to:
1) Ignore the secure domain cookie if it isn't in CookieDomain
2) Try and retain the id that was passed to the page
Diffs attached for lib/Vend/Dispatch.pm. Its a bit custom for us but
might be worth a look in.
Sandy.
-------------- next part --------------
1152c1152,1164
< $sessionid = $1
---
>
> my $cookiedomains = $Vend::Cfg->{CookieDomain};
> my $verytmpsessionid = $1;
> my $cookiehost=$3;
> my $cookieuser=$4;
>
> my $scripthostcheck=$CGI::script_name;
>
> $scripthostcheck=~s/^www\.//;
> $scripthostcheck=~s/[:|\/].*$//;
>
> if($cookiedomains=~/$scripthostcheck/){
> $sessionid = $verytmpsessionid
1154,1155c1166,1167
< $CGI::cookiehost = $3;
< $CGI::cookieuser = $4;
---
> $CGI::cookiehost = $cookiehost;
> $CGI::cookieuser = $cookieuser;
1156a1169,1171
> # }else{
> # ::logGlobal("Avast! No id for you dodgy cookie from domain I am looking at but not in CookieDomain!");
> # }
More information about the interchange-users
mailing list