Search found 7 matches

Page 1 of 1

Search found 7 matches

Re: Good ideas for Website security

What I do not understand is why nobody actually take my comment about non secure session cookie seriously. If you have SSL on your store to protect your customers, if you are accepting credit card information , all I have to do to steal your customers info is hijack their insecure session cookie to ...

Jump to post
  • Fri Jun 08, 2012 2:52 am
  • Replies 74
  • Views 25694
Re: How to change order_id for Invoice number

if you know what you are doing , then you can use some combination of this script http://www.tonymarston.net/php-mysql/encryption.html and your own to create a unique order id to present to user. check http://stackoverflow.com/questions/5387755/how-to-generate-unique-order-id-just-to-show-touser-wit...

Jump to post
  • Tue Feb 28, 2012 11:56 am
  • Replies 39
  • Views 31840
Re: About security

you can have a look at here: http://forum.opencart.com/viewtopic.php ... 20#p239995 , What I have created is a secure cookie, you can easily set the secure cookie to expire after 10 min for example.

Jump to post
  • Tue Feb 28, 2012 11:33 am
  • Replies 6
  • Views 1107
Re: Good ideas for Website security

no comments from anyone ? I expected a huge discussion, concerning session hijacking in opencart. Not even bashing my code ? I'm surprised :) Since anyone sniffing the connection wont bother with username or password when stealing the session cookie will do the job and opencart at its current state ...

Jump to post
  • Sun Jan 15, 2012 8:09 am
  • Replies 74
  • Views 25694
Re: Good ideas for Website security

So I'm posting my algorithm and my code here in case somebody wanted to improve it :) Hash of a random number gets created when the client login. This hash code gets stored in two places. A secured cookie on clients computer and in $session . This secure cookie expires with the session cookie. In se...

Jump to post
  • Fri Jan 13, 2012 1:58 pm
  • Replies 74
  • Views 25694
Re: Good ideas for Website security

I think adding the httponly flag to the cookies is a must. It's harmless since from what I can see there is no place where in opencart, a javascript code access the session id cookie. Also to prevent session hijacking I'm thinking about creating two session ID cookies, here is my strategy, let me kn...

Jump to post
  • Fri Jan 13, 2012 10:12 am
  • Replies 74
  • Views 25694
Re: Good ideas for Website security

I changed session.php and startup.php to make the session cookie httponly. session_set_cookie_params(0, '/', NULL,NUll,true); This will make XSS attacks much harder to pull off. for further information please have a look at http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

Jump to post
  • Fri Jan 13, 2012 1:35 am
  • Replies 74
  • Views 25694

Page 1 of 1

Search found 7 matches