.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Hi Chris,
I think there are two flaws in the logic..
1) In ZC 1.3.9 all session data is base64 encoded by Zen Cart before being written to the database (file based sessions aren't touched). So the base64_decode() always needs to be done if the session data was read from the database.
2) Having the suhosin extension loaded doesn't necessarily mean that sessions are encrypted. It's fine to have suhosin loaded with session encryption turned off.
I think the only thing that needs to be done is base64_decode any database read session data and then check for 'cart|O'. If 'cart|O' is found then everything is good, if not then the session data is encrypted or broken.
Regards,
Christian.
Right. I agree: we need to decode the data read from the database.
But that's not a total solution.
If suhosin encryption is enabled, then PHP will auto-decrypt it when we session_decode the data. So, hence the missing check regarding encryption.
Oddly enough, my test server, which has suhosin.session.encrypt On and suhosin.server.encode On and suhosin.stealth On, I can't get cart contents to show at all right now
And commenting out the lines you suggested earlier is having no effect.
Of course, this is the reverse situation to what was posted earlier too.
Puzzling.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Hi Chris,
If you check for the presence 'cart|O' in the session string before doing the session_decode you can determine if the string is encrypted or not.
Personally I don't like the use of session_decode it messes with the Admin session data. Using unserialize() might be better but I've not tried it.
Erm, if suhosin.session.encrypt = On then you won't be able to see the cart contents because it is encrypted.
IMHO, a better solution would be to not touch the session data at all. Add the count of items in the visitor's cart and the total amount to the recorded whos_online information. Use that to show the traffic light indicators and number of items in cart + total spent instead of all the cart details. Less privacy concerns and no need to be naughty with session data.
Regards,
Christian.
Ya, I agree on your last point, for sure! but everyone pestering to get whos-online to show details want to see the Cart Contents. They don't care about numbers or $$. They literally want to spy on exactly what their visitors are doing. I think it's just wrong. But who am I?
As to unserialize, that won't accomplish what's needed, and certainly won't work in the case of encrypted suhosin session content.
More research required.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Personally, I only use the information to check for shoppers before I do any quick changes to the live site.
I can't think of any useful insight that can be gained by seeing what visitor's have in their carts at any moment in time.
Reading the session data is just bad. I know this isn't a democracy but I'd vote for dropping it from the official release and let people do it with an add-on if they want.
If the session data is encrypted then there is nothing you can do to read it.
Regards,
Christian.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
If suhosin session encryption is on then session_decode will attempt to decrypt the data before decoding the session. By default suhosin uses the browser's User Agent string as the encryption key, so session_decode will only successfully decrypt the data if you are using the exact same browser as the visitor.
Just check if the session string is encrypted and don't use session_decode on it if it is.
Regards,
Christian.
Thank you CJPinder. Your method works!
Bookmarks