Message when cookies are disabled?

[DrByte]

Apparently your server is configured in such a way as to not properly set up sessions, thus pushing an invalid value into the session cookie, which then doesn't match what the server is expecting, which then forces it to put the zenid into the URL, which then your URL rewriting rules are turning into redirects.

[orange_juice]

When cookies are enabled:

Everything works fine.


When cookies are disabled and session.use_only_cookies=0:

Everything works fine.


When cookies are disabled and session.use_only_cookies=1:

The ?zenid number changes in the url after each click.
This happens at my home server, at my host's lighttpd server and at my host's apache - 2 server.


session.use_only_cookies=1 by default at php 5.3

session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0. Defaults to 1 (enabled) since PHP 5.3.0.

Kind regards,
orange_juice

[DrByte]

When cookies are enabled:

Everything works fine.

As expected.

When cookies are disabled and session.use_only_cookies=0:

Everything works fine.

As expected.

When cookies are disabled and session.use_only_cookies=1:

The ?zenid number changes in the url after each click.

As expected.

[orange_juice]

Thank you!

This trend seems to imply that it is more secure for both the server and the client to accept the session cookie of zen-cart and set the browser to automatically delete it after the browser is closed, than to reject cookies and allow the session to be appended at the url.

Therefore, I think the Configuration -> Sessions -> "Force Cookie" = true setting, is closer to what Google - Yahoo and other major websites with robust privacy policies accept as a sound and effective security measure.

Kind regards,
orange_juice

[orange_juice]

Hallo again!

I saw that when I set Force Cookie = true, a cookie named "cookie_test" is sent from my store which expires after one month.

Would it cause any technical issue if I set this cookie to expire at the end of the session?

Thank you for your help.

Kind regards,
orange_juice

[DrByte]

It won't cause any technical issue. What specific reason do you have for wanting to change it?

[orange_juice]

Thank you for your prompt answer.

My thought is the following:

I have set Force cookies = true and when someone with disabled cookies tries to log in or place something in his basket a message appears that notifies him of this policy.

Since I "oblige" users to accept cookies, I would like to inform them of which cookies are stored into their computer from my site.

There are two: cookie_test and zenid.

zenid expires at the end of the session. I consider very nice and discreet to have cookie_test to expire at the end of the session too.

This way, even the most sensitive user about cookies will feel that "I entered that store, they informed me that they make the most to keep my visit safe without collecting any personal data in cookies, and when I exited it was like I never entered because nothing was left in my hard disk."

Kind regards,
orange_juice