Are you a Google Analytics enthusiast?
More SEO Content
Google Entering The Shopping Cart
Posted 25 February 2004 - 08:31 PM
Since I have changed the cookie ID, the link is broken and you are presented with a login - so it's not fatal... but it is a big problem.
If you google on "Rolleiflex TLR Cameras Repair Manual" you will see the problem.
The CF Script sets the title to "Merchat Level Login" but it is not that it's just an expired user ID so it shoots you to the login page... I can deal with that part.
The question is, other than a line in robots.txt that looks like this:
Disallow: /acb/basket/ - to keep them out of the basket, what else can we do?
Has anyone seen anything like this?
Is Google responsive to mail saying "please cancel these links!"
Sheesh - that's the last thing I thought I'd be asking here!
Posted 25 February 2004 - 11:55 PM
Say you're passing user id on the url as a get string parameter. Then, say you've got a link to some other website on that page. Now, when someone hits the other site, their browser reports the user id to the webserver as a referrer. Now the third party website has a valid login to your shopping cart.
Worse yet is when said third party site publishes their web log statistics (like many do) and then a link is created with the referrer information back to your site. Now everyone has this valid login, including Google. Bummer.
Shopping carts need a session id stored in a cookie (ideally) or passed as a get string paramter (less ideal). Sessions are temporary, therefore you're not revealing any information that could really harm you because in theory the session should timeout or expire within a certain amount of time, the client's browser application exiting, or lack of activity.
Anyway, this should probably give you some ideas of why this is happening. Again, don't pass user id of authenticated users ever. Use temporary session ids that map to users behind the scene in your database.
Updated Edited Info:
Oh, and regards to the cookie stuff. I'm guessing that your CF server is automatically rewriting urls if the user isn't accepting cookies. This could be how the user id escaped in this case.
Again though, don't ever ever (just don't do it) pass the user id to the client, in a cookie, a get string parameter, anything. You'll get in trouble every time. This is web application security no-no #1.
If this is an off the shelf shopping cart solution which you don't have control over the code, and it's performing this functionality, get a new shopping cart. This one sucks.
Edited by bobsledbob, 26 February 2004 - 12:02 AM.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users