I have a situation where G has linked to a thousand plus products in an AbleCommerce (Cold Fusion based) store including a user ID.
Since I have changed the cookie ID, the link is broken and you are presented with a login - so it's not fatal... but it is a big problem.
If you google on "Rolleiflex TLR Cameras Repair Manual" you will see the problem.
The CF Script sets the title to "Merchat Level Login" but it is not that it's just an expired user ID so it shoots you to the login page... I can deal with that part.
The question is, other than a line in robots.txt that looks like this:
Disallow: /acb/basket/ - to keep them out of the basket, what else can we do?
Has anyone seen anything like this?
Is Google responsive to mail saying "please cancel these links!"
Sheesh - that's the last thing I thought I'd be asking here!
Subscribe to HRA Now!
Are you a Google Analytics enthusiast?
Share and download Custom Google Analytics Reports, dashboards and advanced segments--for FREE!
www.CustomReportSharing.com
From the folks who brought you High Rankings!
More SEO Content
International SEM | Social Media | Search Friendly Design | SEO | Paid Search / PPC | Seminars | Forum Threads | Q&A | Copywriting | Keyword Research | Web Analytics / Conversions | Blogging | Dynamic Sites | Linking | SEO Services | Site Architecture | Search Engine Spam | Wrap-ups | Business Issues | HRA Questions | Online Courses
Sponsored Content
Google Entering The Shopping Cart
Started by
gstark
, Feb 25 2004 08:31 PM
1 reply to this topic
#1
gstark
-
- Active Members
-
- 95 posts
HR 3
- Location:Nanaimo, BC Canada (on Vancouver Island)
Posted 25 February 2004 - 08:31 PM
#2
bobsledbob
-
- Active Members
-
- 102 posts
HR 3
- Location:Ogden, Utah, USA
Posted 25 February 2004 - 11:55 PM
Your user id should _NEVER_ be included in the URL string. This is a big big security no-no, and you're seeing some of the consequences of it. In fact, you should never have to send the user id period to the client for any reason.
Say you're passing user id on the url as a get string parameter. Then, say you've got a link to some other website on that page. Now, when someone hits the other site, their browser reports the user id to the webserver as a referrer. Now the third party website has a valid login to your shopping cart.
Worse yet is when said third party site publishes their web log statistics (like many do) and then a link is created with the referrer information back to your site. Now everyone has this valid login, including Google. Bummer.
Shopping carts need a session id stored in a cookie (ideally) or passed as a get string paramter (less ideal). Sessions are temporary, therefore you're not revealing any information that could really harm you because in theory the session should timeout or expire within a certain amount of time, the client's browser application exiting, or lack of activity.
Anyway, this should probably give you some ideas of why this is happening. Again, don't pass user id of authenticated users ever. Use temporary session ids that map to users behind the scene in your database.
Updated Edited Info:
Oh, and regards to the cookie stuff. I'm guessing that your CF server is automatically rewriting urls if the user isn't accepting cookies. This could be how the user id escaped in this case.
Again though, don't ever ever (just don't do it) pass the user id to the client, in a cookie, a get string parameter, anything. You'll get in trouble every time. This is web application security no-no #1.
If this is an off the shelf shopping cart solution which you don't have control over the code, and it's performing this functionality, get a new shopping cart. This one sucks.
Say you're passing user id on the url as a get string parameter. Then, say you've got a link to some other website on that page. Now, when someone hits the other site, their browser reports the user id to the webserver as a referrer. Now the third party website has a valid login to your shopping cart.
Worse yet is when said third party site publishes their web log statistics (like many do) and then a link is created with the referrer information back to your site. Now everyone has this valid login, including Google. Bummer.
Shopping carts need a session id stored in a cookie (ideally) or passed as a get string paramter (less ideal). Sessions are temporary, therefore you're not revealing any information that could really harm you because in theory the session should timeout or expire within a certain amount of time, the client's browser application exiting, or lack of activity.
Anyway, this should probably give you some ideas of why this is happening. Again, don't pass user id of authenticated users ever. Use temporary session ids that map to users behind the scene in your database.
Updated Edited Info:
Oh, and regards to the cookie stuff. I'm guessing that your CF server is automatically rewriting urls if the user isn't accepting cookies. This could be how the user id escaped in this case.
Again though, don't ever ever (just don't do it) pass the user id to the client, in a cookie, a get string parameter, anything. You'll get in trouble every time. This is web application security no-no #1.
If this is an off the shelf shopping cart solution which you don't have control over the code, and it's performing this functionality, get a new shopping cart. This one sucks.
Edited by bobsledbob, 26 February 2004 - 12:02 AM.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
