Mailing List Archive

> I noticed that Interchange loses the session once the browser is
> closed and re-opened. Is there a way to make it persistent so that
> the shopping cart contents are retained like Amazon?
>
> - Grant


It looks like I may be out of luck as far as keeping sessions persistent:

http://www.icdevgroup.org/pipermail/interchange-users/2011-January/052595.html

If so, is there a preferred method of retaining shopping cart contents
in the same browser across sessions without requiring the user to log
in? If there is not, should I simply use set-cookie to save the
current cart contents at every page load and read-cookie whenever
creating a new session?

- Grant

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users

On Tue, 1 Dec 2015, Grant wrote:

>> I noticed that Interchange loses the session once the browser is closed
>> and re-opened. Is there a way to make it persistent so that the
>> shopping cart contents are retained like Amazon?
>
> It looks like I may be out of luck as far as keeping sessions
> persistent:
>
> http://www.icdevgroup.org/pipermail/interchange-users/2011-January/052595.html
>
> If so, is there a preferred method of retaining shopping cart contents
> in the same browser across sessions without requiring the user to log
> in? If there is not, should I simply use set-cookie to save the current
> cart contents at every page load and read-cookie whenever creating a new
> session?

In that email from Mike that you pointed to, he pointed at how to do it
(while also explaining why it's not the default).

You need to set an expiration date on the MV_SESSION_ID cookie so it will
persist after the browser is closed.

You can do this by setting a GlobalSub in your interchange.cfg like this
(to make the cookie last 1 week, for example):

GlobalSub <<EOR
sub set_cookie_expire {
$Vend::Expire = Vend::Config::time_to_seconds('1 week') + time();
return 1;
}
EOR

And then running it on every page load by setting an Autoload in your
catalog.cfg like this:

Autoload set_cookie_expire

Jon

--
Jon Jensen
End Point Corporation
https://www.endpoint.com/

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users

>>> I noticed that Interchange loses the session once the browser is closed
>>> and re-opened. Is there a way to make it persistent so that the shopping
>>> cart contents are retained like Amazon?
>>
>>
>> It looks like I may be out of luck as far as keeping sessions persistent:
>>
>>
>> http://www.icdevgroup.org/pipermail/interchange-users/2011-January/052595.html
>>
>> If so, is there a preferred method of retaining shopping cart contents in
>> the same browser across sessions without requiring the user to log in? If
>> there is not, should I simply use set-cookie to save the current cart
>> contents at every page load and read-cookie whenever creating a new session?
>
>
> In that email from Mike that you pointed to, he pointed at how to do it
> (while also explaining why it's not the default).
>
> You need to set an expiration date on the MV_SESSION_ID cookie so it will
> persist after the browser is closed.
>
> You can do this by setting a GlobalSub in your interchange.cfg like this (to
> make the cookie last 1 week, for example):
>
> GlobalSub <<EOR
> sub set_cookie_expire {
> $Vend::Expire = Vend::Config::time_to_seconds('1 week') + time();
> return 1;
> }
> EOR
>
> And then running it on every page load by setting an Autoload in your
> catalog.cfg like this:
>
> Autoload set_cookie_expire


Hi Jon, thank you for the code. I noticed that comment from Mike but
he referenced a related security issue which scared me off. Do you
know what he was refering too?

If I do implement it that way, to make sure my understanding is
correct, I should synchronize the expiration times in Vend::Expire,
SessionExpire, and in my find command which deletes old session
files/dirs?

- Grant

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users

Quoting Grant (emailgrant@gmail.com):
> >>> I noticed that Interchange loses the session once the browser is closed
> >>> and re-opened. Is there a way to make it persistent so that the shopping
> >>> cart contents are retained like Amazon?
> >>
> >>
> >> It looks like I may be out of luck as far as keeping sessions persistent:
> >>
> >>
> >> http://www.icdevgroup.org/pipermail/interchange-users/2011-January/052595.html
> >>
> >> If so, is there a preferred method of retaining shopping cart contents in
> >> the same browser across sessions without requiring the user to log in? If
> >> there is not, should I simply use set-cookie to save the current cart
> >> contents at every page load and read-cookie whenever creating a new session?
> >
> >
> > In that email from Mike that you pointed to, he pointed at how to do it
> > (while also explaining why it's not the default).
> >
> > You need to set an expiration date on the MV_SESSION_ID cookie so it will
> > persist after the browser is closed.
> >
> > You can do this by setting a GlobalSub in your interchange.cfg like this (to
> > make the cookie last 1 week, for example):
> >
> > GlobalSub <<EOR
> > sub set_cookie_expire {
> > $Vend::Expire = Vend::Config::time_to_seconds('1 week') + time();
> > return 1;
> > }
> > EOR
> >
> > And then running it on every page load by setting an Autoload in your
> > catalog.cfg like this:
> >
> > Autoload set_cookie_expire
>
>
> Hi Jon, thank you for the code. I noticed that comment from Mike but
> he referenced a related security issue which scared me off. Do you
> know what he was refering too?

I think it's just that session cookies are supposed to expire at the end
of the session, so it's counter-intuitive to keep them around longer.
I'm not sure of security ramifications, but since it's not a login
cookie, if it stays around after browser close, then any user data
(collected during an order or order attempt) would be in there. This is
a problem on public computers -- you can't "logout" of a session...

I have just released cart-cookie support, which provides for saving cart
info between sessions, when using the same browser:
https://github.com/jdigory/interchange-extras/tree/master/cart-cookie

It may be a more ideal solution to your problem than keeping session
cookies around.

--
Josh Lavin
End Point Corporation

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users

>> >>> I noticed that Interchange loses the session once the browser is closed
>> >>> and re-opened. Is there a way to make it persistent so that the shopping
>> >>> cart contents are retained like Amazon?
>> >>
>> >>
>> >> It looks like I may be out of luck as far as keeping sessions persistent:
>> >>
>> >>
>> >> http://www.icdevgroup.org/pipermail/interchange-users/2011-January/052595.html
>> >>
>> >> If so, is there a preferred method of retaining shopping cart contents in
>> >> the same browser across sessions without requiring the user to log in? If
>> >> there is not, should I simply use set-cookie to save the current cart
>> >> contents at every page load and read-cookie whenever creating a new session?
>> >
>> >
>> > In that email from Mike that you pointed to, he pointed at how to do it
>> > (while also explaining why it's not the default).
>> >
>> > You need to set an expiration date on the MV_SESSION_ID cookie so it will
>> > persist after the browser is closed.
>> >
>> > You can do this by setting a GlobalSub in your interchange.cfg like this (to
>> > make the cookie last 1 week, for example):
>> >
>> > GlobalSub <<EOR
>> > sub set_cookie_expire {
>> > $Vend::Expire = Vend::Config::time_to_seconds('1 week') + time();
>> > return 1;
>> > }
>> > EOR
>> >
>> > And then running it on every page load by setting an Autoload in your
>> > catalog.cfg like this:
>> >
>> > Autoload set_cookie_expire
>>
>>
>> Hi Jon, thank you for the code. I noticed that comment from Mike but
>> he referenced a related security issue which scared me off. Do you
>> know what he was refering too?
>
> I think it's just that session cookies are supposed to expire at the end
> of the session, so it's counter-intuitive to keep them around longer.
> I'm not sure of security ramifications, but since it's not a login
> cookie, if it stays around after browser close, then any user data
> (collected during an order or order attempt) would be in there. This is
> a problem on public computers -- you can't "logout" of a session...
>
> I have just released cart-cookie support, which provides for saving cart
> info between sessions, when using the same browser:
> https://github.com/jdigory/interchange-extras/tree/master/cart-cookie
>
> It may be a more ideal solution to your problem than keeping session
> cookies around.


Very nice. If I decide to set the expiration time of session cookies,
I can't think of anywhere a user's entered data is displayed in a
session besides on the checkout form. If I prevent that, is their
data still potentially readable somehow?

- Grant

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users

Quoting Grant (emailgrant@gmail.com):
> >> >>> I noticed that Interchange loses the session once the browser is closed
> >> >>> and re-opened. Is there a way to make it persistent so that the shopping
> >> >>> cart contents are retained like Amazon?
> >> >>
> >> >>
> >> >> It looks like I may be out of luck as far as keeping sessions persistent:
> >> >>
> >> >>
> >> >> http://www.icdevgroup.org/pipermail/interchange-users/2011-January/052595.html
> >> >>
> >> >> If so, is there a preferred method of retaining shopping cart contents in
> >> >> the same browser across sessions without requiring the user to log in? If
> >> >> there is not, should I simply use set-cookie to save the current cart
> >> >> contents at every page load and read-cookie whenever creating a new session?
> >> >
> >> >
> >> > In that email from Mike that you pointed to, he pointed at how to do it
> >> > (while also explaining why it's not the default).
> >> >
> >> > You need to set an expiration date on the MV_SESSION_ID cookie so it will
> >> > persist after the browser is closed.
> >> >
> >> > You can do this by setting a GlobalSub in your interchange.cfg like this (to
> >> > make the cookie last 1 week, for example):
> >> >
> >> > GlobalSub <<EOR
> >> > sub set_cookie_expire {
> >> > $Vend::Expire = Vend::Config::time_to_seconds('1 week') + time();
> >> > return 1;
> >> > }
> >> > EOR
> >> >
> >> > And then running it on every page load by setting an Autoload in your
> >> > catalog.cfg like this:
> >> >
> >> > Autoload set_cookie_expire
> >>
> >>
> >> Hi Jon, thank you for the code. I noticed that comment from Mike but
> >> he referenced a related security issue which scared me off. Do you
> >> know what he was refering too?
> >
> > I think it's just that session cookies are supposed to expire at the end
> > of the session, so it's counter-intuitive to keep them around longer.
> > I'm not sure of security ramifications, but since it's not a login
> > cookie, if it stays around after browser close, then any user data
> > (collected during an order or order attempt) would be in there. This is
> > a problem on public computers -- you can't "logout" of a session...
> >
> > I have just released cart-cookie support, which provides for saving cart
> > info between sessions, when using the same browser:
> > https://github.com/jdigory/interchange-extras/tree/master/cart-cookie
> >
> > It may be a more ideal solution to your problem than keeping session
> > cookies around.
>
>
> Very nice. If I decide to set the expiration time of session cookies,
> I can't think of anywhere a user's entered data is displayed in a
> session besides on the checkout form. If I prevent that, is their data
> still potentially readable somehow?

Anywhere else you use [value fname] etc, or if you have a dump.html
page.

But why would you prevent reading the session on checkout page? That is
a feature -- so when someone enters their name/address once, it is
remembered the next time in their session that they return to the page.

--
Josh Lavin
End Point Corporation

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users

On Thu, 3 Dec 2015, Grant wrote:

> If I decide to set the expiration time of session cookies, I can't think
> of anywhere a user's entered data is displayed in a session besides on
> the checkout form. If I prevent that, is their data still potentially
> readable somehow?

The session data is no more or less readable with a permanent cookie than
it is with what you have now, except that it survives closing the browser.
So as Josh mentioned, if someone logs in at a public computer at a
library, school, Internet cafe, etc., it'll be logged into their account
until the session expires. You have to figure out what the security
implications of that are for your site -- there's no one right answer
about what you should do there.

Jon

--
Jon Jensen
End Point Corporation
https://www.endpoint.com/

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users

>> If I decide to set the expiration time of session cookies, I can't think
>> of anywhere a user's entered data is displayed in a session besides on the
>> checkout form. If I prevent that, is their data still potentially readable
>> somehow?
>
>
> The session data is no more or less readable with a permanent cookie than it
> is with what you have now, except that it survives closing the browser. So
> as Josh mentioned, if someone logs in at a public computer at a library,
> school, Internet cafe, etc., it'll be logged into their account until the
> session expires. You have to figure out what the security implications of
> that are for your site -- there's no one right answer about what you should
> do there.


On my site, the session data is only readable on the checkout page and
I would like to keep it readable there because I think it's convenient
for the customer. Given that, I don't think it's a good idea to keep
sessions alive after a browser restart on my site. I'll tinker with
cart-cookie. Thank you Josh and Jon.

- Grant

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users