Announcement

Collapse
No announcement yet.

Session ID's on Product Links

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Session ID's on Product Links

    I'm using the new URI system and if you go to the Account page, which will show /customer-account.html?Session_ID=XXXXX and then from there, try to go back to a not-secure product page, that session ID is carrying over onto the product URL.

    How do I prevent that? I'm sure there is a setting somewhere within the new system, but I can't isolate it.
    Ted Hust
    AarcMediaGroup.com

    Celebrating 13 Years of Outstanding Service & Support
    Miva Merchant Design

    #2
    Re: Session ID's on Product Links

    The SessionID is used for ensuring the shopper's account and cart stay intact. It's not hurting anything, nor is that the actual URL that outsiders see.
    Best,
    Pamela

    Consultant / Developer / Trainer
    Contributing Editor to Practical Ecommerce
    Author of the Official Guides for Miva Merchant
    pamelahazelton.com

    Comment


      #3
      Re: Session ID's on Product Links

      Originally posted by aarcmedia View Post
      I'm using the new URI system and if you go to the Account page, which will show /customer-account.html?Session_ID=XXXXX and then from there, try to go back to a not-secure product page, that session ID is carrying over onto the product URL.

      How do I prevent that? I'm sure there is a setting somewhere within the new system, but I can't isolate it.
      You can alter this behavior via Domain Settings -> Site Configuration -> Include Session Parameters in Miva Merchant URLs

      It defaults to "When transitioning between Secure and Non-Secure URLs" but you could set it to Never if you wanted to try that.

      I generally recommend not changing that setting. In years past, Merchant would use the same cookie and session ID for secure and insecure sessions, so transitioning between insecure and secure pages, and back, would not pose any risk of a lost basket. Due to PA-DSS security requirements, Merchant now uses unique cookies for insecure and secure pages. Most of the time, if the customer had started on an insecure page and transitioned to secure, you probably won't have a problem, but the session ID is added to links going back to insecure to ensure the basket is not lost if the shopper, by chance, started shopping on a secure page and never received an insecure session cookie, in which case, they'd lose their basket.

      An alternative to changing that setting and also never seeing the session ID would be to set the store to operate solely in secure mode (by using https in the insecure URL setting) and adding a .htaccess rule to force redirecting to https.
      David Hubbard
      CIO
      Miva
      [email protected]
      http://www.miva.com

      Comment

      Working...
      X