I'm testing a new Magento site. I see each time a customer selects a product, if cookies are NOT enabled, they are unable to add product to the cart. Searching for a solution, I found a message that can be enabled to popup telling the customers cookies need to be enabled.... That's great but if a customer doesn't want to enable cookies a sale is lost.
Is there a away to disable Magento from even checking if you have cookies enabled or disabled? In other words, I don't care if the customers have cookies enabled or disabled.
Or is that the way Magento is created- Meaning it was created to check cookies in order to add product(s) to cart?
In order to maintain sessions so the cart will work when cookies are not being accepted by the client, you will have to enable SID with the Use SID on Frontend setting on the System=>Configuration=>Web=>Session Validation Settings section.
This adds an SID= parameter to the URL string.
Play with the above to see if it's stable enough in your environment to do what you're attempting to do, it's normally intended for use on sites that have certain issues when switching from insecure http to secure https or have the secure domain on a separate domain from the insecure content domain and is expected to be a supplement to SID cookies.
Magento expects cookies to be passed because you need to maintain state in order to have a cart remember who you are. This is done by establishing a session and then exchanging a cookie token back and forth so the customer/webserver interaction all connects together during the cookie lifetime. Things usually go south pretty quickly if you don't allow cookies to be set and you start having issues like Magento creating a new cart every time something is added to the cart, disappearing cart contents and general inability to use customer accounts.
Related
I'm building an ecommerce website, and have had a problem with two different payment gateways. Visitors enter their card details and then leave to the 3D Secure step, which requires visiting their bank's website. When they return from that, they have no cookies on our website, and we cannot recognize them to link up the order.
With one payment gateway, this results in the order failing; with the other, the payment comes through, but is not linked to any specific account or products purchased. Clearly, both of these are problems.
I know that plenty of browsers clear cookies on closing the browser, but I'm not aware of any that clear cookies just because you've left the site for a moment. (Furthermore, on one of the two payment gateways, the 3D Secure step is done in an iframe, so the user hasn't even left the site.) It's the user's session which is disappearing.
Concrete questions:
Is it common for session cookies to be this volatile? This is behaviour I've been unable to replicate myself. Is there some common browser setting or addon which aggressively (and prematurely) deletes session cookies?
Might there be something else causing the effects I'm seeing?
Might there be something else causing the effects I'm seeing?
In this kind of scenario, these days it often has to do with the SameSite attribute of the session cookie.
The Strict value will prevent cookies from being send in any requests initiated by third party websites. When users are getting redirected back to your site from the payment gateway, that is “navigation” from a 3rd-party site then, and the cookies get not send; so your own session can not be picked up at that point.
I have an ecommerce shop online using php, sql, javascript,ajax and sessions.
I have both guest and members cart options at checkout.
Everything works fine.
I store my cart items in a session currently.
Users can log in or have a guest cart.
Guests cart userids are referenced by the current session id.
members can login and their carts are referenced by their usersids from the database.
The problem is, the session expires after a certain amount of time and so the cart items are lost and the user has to start again.
On doing some research I have found that after the user logs in, I can store his user id in a cookie and I can specify how long that cookie lasts for which is ideal!
I am thinking of changing the code so that I store the items added to the cart in my database tables and simply reference them with the user id ive stored in his cookie.
That way He can shop for ages and not lose his cart and I can send abandon cart emails etc...
I think this would work well as nearly every website uses cookies so people have to have them enabled in their browser these days. I could show a warning message if cookies arent enabled anyway..
What does everyone think about this?
Please note I am not seeking security advice here.
I havent implemented this as yet - Im really looking to see if I can set my session lifetime to last a few hours/days instead.
I see your problem with Guest checkout and normal checkout after login.
You can go and use cookies rather than using sessions for this.
Cookie have setcookie() function with time() method.
You can set an Expiry time for that.
Go and use, it can help you
I am working on a new PHP application that will allow users to register for an account in order to use my service. I want the website to comply with the new legislation that has come to the UK to provide visitors to the site, to enable or disable the use of cookies on their first visit.
I'm not entirely sure though what the best way to implement this. If I can't store a cookie how would I keep track whether the user is visiting the site for the first time in order to display the message, or if it is not the first visit, then not display the cookie message.
Thanks for any help you can provide.
The law is mainly concerned with 3rd party cookies. Yours is a first party cookie and these are generally assumed to be ok. You should be fine with a notice on your site specifying that you are using cookies and if people don't like that, they should get off your site (Possibly worded more politely)
From ico's own recommendations:
First party analytics cookies are not likely to create a privacy risk if websites provide clear information about the cookies to users and privacy safeguards, eg a user friendly mechanism to opt out from any data collection and where they ensure that identifiable information is anonymised.
Also note that it's not really a law - it's an EU directive and it's not really enforced.
One should distinguish between session-cookies and other cookies:
Session-cookies will be removed as soon as the user closes the browser, they are important to get a secure session handling and will increase the privacy of the user. It would be absurd to forbid those cookies.
Persistent cookies, especially those of 3rd parties, can live a long time in the user's browser. They are often misused to collect information about the user, so the user should be asked whether he allows such cookies. Unfortunately only honest websites will ever care about this law/recommendation.
EDIT:
I found a description of exceptions in the ICO cookies guidance which seem to legitimate pure session-cookies:
There is an exception to the requirement to provide information about
cookies and obtain consent where the use of the cookie is:
(a) for the sole purpose of carrying out the transmission of a
communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the
provision of an information society service requested by the
subscriber or user.
...This exception is likely to apply, for example, to a cookie used to
ensure that when a user of a site has chosen the goods they wish to
buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button,
the site ‘remembers’ what they chose on a previous page. This cookie
is strictly necessary to provide the service the user requests (taking
the purchase they want to make to the checkout) and so the exception
would apply and no consent would be required.
EDIT2:
Should you ask the user to store non-session-cookies and he doesn't allow to store them, then keep this information in your session, but ask him again when he returns with another session. It is his choice then to get this message whenever the browser was closed.
I want to create a session-less, cookie-less shopping cart. Where should I start? I am having issues on third-party cookies with Safari (eventually Firefox too) so I cannot use sessions for my cart.
If you have issues with cookies only you can use session without cookies.
Turn off using cookie with session.use_cookies=0 and session.use_only_cookies=0, and turn on trans sid session.use_trans_sid=1. When use_trans_sid is enabled the session id is attached to the every URL.
But it could that you will need to manually add PHPSESSID to your links.
It's a php based web store without user logins because all of the payments are handled via paypal. My question is what would you guys suggest for the shopping cart - cookies, sessions, or both? I'm not too concerned with the longevity of the shopping cart's contents be I'd like for the user to be able to click around and do a few things before they commit the order. I'm leaning towards sessions because some people may still disable cookies on their machines.
PHP sessions use a cookie with the session id to track the user. I would go with sessions since it will handle all of the identification for you and make things easier and more transparent.
It is also possible to use sessions with no cookies and it will pass the session id around in the URL. That in some cases can be a security risk, but perhaps not so much in your situation.
By default, PHP sets a cookie on the visitor's browser to know which session id to use anyway, so the only real difference between the three options in the end would be how much data gets sent up to your server during the request.
That being said, you can also use sessions without cookies by making sure to add ?session_id={session_id();} to all of your internal links and the following to the beginning of every page:
if (isset($_GET ['session_id'])
session_id($_GET ['session_id'])
session_start();
So, recommend using sessions.