You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
Hi,
Somewhere out in the world there is a link to one of my product pages containing a sid.
The link is wwwgpsaffiliate.co.uk/khxc/index.php?ap … 59xxxxx...
From a customer I know the link is somewhere on a product related site, but the customer could not recall exactly where she followed the link from.
Anyone following this link and trying to buy from the site gets access to previous customers name e-mail and address info. They can also order on their credit card and get the goods sent to the previous customer!
I am trying to find where the link is to get it modified, but is there any way I can force a new sid if the site sees the w959xxxx sid above?
Thanks
Rob
Offline
There can't possibly be any credit card information associated with using a sid like that. CCP does not, under any circumstances, store any credit card information.
If you delete that sid from the khxc_sessions table using raw DB admin there will no longer be any information at all associated with it.
Offline
Hi Dave,
Agreed there is no possibility of credit Card info being retained.
I originally intended to convey that customer 2 paying with customer 2 credit card could get their order sent to a previous customers address - very nearly happened with one of our customers, so this is an issue I need to fix.
I followed your suggestion and deleted the sid from khxc_session no problem.
However, when I tried connecting to the site including the sid in the path - the site accepts the sid, there is a new entry in the khxc_sessions db. This entry does not contain any user info yet, but if someone follows the link containing the sid and inputs user data we are back to square one.
Any idea on somehow making this particular sid invalid?
Rob
Offline
The URL with the sid has been indexed by Google so you'll want to use their webmaster tools to request that the link be removed from the search results. Do a search for sid= site:gpsaffiliate.co.uk and you'll spot it.
Offline
Hi Dave,
Have requested google remove the results containing the sid
Also looked through the analytics - we have had 140 visits so far using the sid in the URL. As far as I can tell this particular sid is the only one being referenced so I think there is a site out there somewhere that has linked too us incorrectly.
A google search on the full URL including the sid did not find anything useful - we are trying to find where we have inbound links to see where this rouge link is.
Any way of preventing this sid being used until we find the problem site?
Rob
Offline
Hi Dave,
Some digging in google analytics and I have found the "rouge" site with the sid in the link to us and have requested this be corrected.
So as long as no one has copied that link we should be OK.
Thanks for your help.
Rob
Offline
One way you could make sure it's never used again would be to add a rewrite rule to .htaccess that detects the complete URL with the sid and redirects it to your home page. After adding that rule deleting the entry from the sessions table should prevent that particular sid from ever being valid again.
Offline
If you use SEO URL's, then you can safely restrict access to your CCP6 URL's with the SID in robots.txt.
That'll help keep good SE's from indexing SID's.
We do that and all our category and products pages using SEO URL's are indexed okay, which are the ones we care about being indexed.
Last edited by Blitzen (03-24-2009 10:58:56)
Offline
Search engines are already handled by CCP and no explicit rules should be required. When a bot is detected the URL they are given will never contain a session ID.
Offline
Hi Dave,
Thanks for the suggestion of the .htaccess rule - I think that would work fine.
I have checked through the analytics for yesterday and we have no more visits with sid included so I think we have the problem under control.
Also useful to know that the URL's the bots get definitely do not contain sid info.
Thanks.
Rob
Offline