[quote name=‘ExtremeCreations’]It would be good to have this as a config option for those who have SSL on their site domain.[/QUOTE]
It will be detected automatically since CS-Cart 2.0.8
Just want to highlight that linking session to IP address is not a good idea as there are users that might be behind transparent proxies and have dynamically changing IP addresses every few mins.
Unless of course you use:
$_SERVER[‘HTTP_X_FORWARDED_FOR’] to check for the ip that is pass from proxy
but there have been discussion that mentioned that this $_SERVER[‘HTTP_X_FORWARDED_FOR’] might be spoofable and thus might pose security risks.
But using $_SERVER[‘REMOTE_ADDR’] in authentication checks is definitely a no-no for users behind transparent proxies.
For more examples of how this is affecting users, you can research on discussions on how users behind transparent proxies are unable to successfully log in to the updated versions of IPB forums.
My domain has ssl installed and upgraded to latest v2.08. I have a customer losing cart content whenever he tries to checkout (without registering an account). I checked, there’re no ssid attached with the store url. Is this normal? Is there something I can do so that this customer can checkout successfully. Or, it has to do with my customer’s computer. Thank you!
Any update on this? I’m reluctant to move to 2.0.8 if there are yet still more issues with session_id security and/or SEO or javascript.
[quote name=‘nodame’]Just want to highlight that linking session to IP address is not a good idea as there are users that might be behind transparent proxies and have dynamically changing IP addresses every few mins.
Unless of course you use:
$_SERVER[‘HTTP_X_FORWARDED_FOR’] to check for the ip that is pass from proxy
but there have been discussion that mentioned that this $_SERVER[‘HTTP_X_FORWARDED_FOR’] might be spoofable and thus might pose security risks.
But using $_SERVER[‘REMOTE_ADDR’] in authentication checks is definitely a no-no for users behind transparent proxies.
For more examples of how this is affecting users, you can research on discussions on how users behind transparent proxies are unable to successfully log in to the updated versions of IPB forums.[/QUOTE]
So, do you suggest to remove IP address linking? I don’t see any security issues here - if you won’t link session with IP - ANYONE can use it, but if you link - only users from the same proxy. I think this is better than nothing.
[quote]
So, do you suggest to remove IP address linking? I don’t see any security issues here - if you won’t link session with IP - ANYONE can use it, but if you link - only users from the same proxy. I think this is better than nothing.
[/quote]
Anything to do with the session should be posted and any additional refinement (linking session id’s to ip’s) just makes it more secure. No one (even ignorant people) should be able to pass their session info to another by cutting/pasting a URL.