View Full Version : 403 Forbidden Area Using OSCOMMERCE Search Box

12-18-2010, 03:42 AM
I searched for something on my site the other day and when searching it hit a 403 forbidden message instead!

I had previously gotten this message only one other time when I was viewing the "who's online" part of my store and clicked on one of the links.

Both times I got the error, a session ID was added to the end of the URL.

If there's no session ID on the search phrase, it didn't give back the error.

Westhost and the oscommerce official forums have no answers, anyone here know what might cause this?

12-18-2010, 07:10 AM
I am not familiar with oscommerce, but from the way you describe the error symptoms it sounds like maybe you hit a session time limit and the URL you where trying to access was perhaps restricted. I know a lot of PHP programs now use separate session processes that have higher "security" for actions that only an admin can carry out. Where these perhaps actions only allowed to an admin? If it is a bug in the programing about the only thing you could do is report it to oscommerce. You would want to give them as much details about the situation as you can. For example if it was a session timeout issue it would be good to denote both what your session time out setting is if there is one and how long you had been logged in when it happened. Normally for the programmers to make a change or fix a "bug" they have to be able to recreate the problem so as much information as you can give helps. There may also be the possiblility that they check IP's when dealing with sessions and if for some reason your local computer IP changed that could effect a session.

Like I say I am not familiar with the code in oscommerce just going with some of the norms I see in PHP scripts. It is always possible that it is a fluke and they well never come up with an answer for you. Keep an eye on the post you made at the oscommerce forum since the likely hood of another user there having the same issue is higher then here.

12-19-2010, 02:02 AM
I can sort of see that with the who's online part of the admin.. but a customer using the search box to search for a product in the front of the website also got it, so bang goes that.

I've tried the oscommerce people, posts get ignored completely.

12-19-2010, 07:59 AM
With php scripts, a session ID is normally only added to a URL if a person does not accept cookies from the site. Then when a request comes in to the program it uses that session id that is added to the URL to check and see who is requesting things. Search features are often the place where a hacker can get in so it is not unusual for a program to be running some test on the URL and information sent with a search. That could be why a guest gets the message.

Is your version of oscommerce up to date? Do you have modifications or addons to the base program and if so are they up to date. Those are the two things I would look at first. Often addons/mods can become out of date even when you keep the main program updated and can cause issues. I know I am bad about this often. I am good to keep my main core updated but then sometimes forget about addons I have installed. :) Not sure how oscommerce does addons/mods, do they have a section in their forums for them and if so do they give each mod a thread for support? You might be able to find information in such a place although you would have to hunt for it.

There is nothing that I can think of that is specific to the WH environment that would affect this, so I would say looking for answers to this at the program level is the best approach.

12-19-2010, 10:24 PM
It isn't the newest version because the way oscommerce works, none of that is automated. It isn't a plug and play type thing.

To install a module, you literally have to go through file by file changing the coding which is possible for me if they're explaining what to replace with what in the base code... but too hard for me to understand what to replace with what in an earlier version of the module.. if you know what I mean.

In Australia, oscommerce specialists charge something like $200 an hour and if they're looking at it trying to work out what is wrong, it'd take several hours which is why I have no choice but to try and work it out via help forums and such.

01-05-2011, 05:22 PM
I still can't get a fix on this. I just logged in to my own bloody admin section and got 403, had to go to another page to avoid 403.. I'm getting tired of this and westhost won't help at all.

There's little difference between the oscommerce I installed before they even offered it and the one they offer yet they use it as a convenient excuse not to help fix it.

01-05-2011, 08:48 PM
I know it is frustrating but even with the version they offer for install the only support they can really offer is in the installation of the program. There are just too many variables with things like this.

Have you checked your error logs to see if there is any information on why the 403 forbidden message came up? Is it a 403 message generated by osCommerce or by the server? We really need to find out more about what is happening when you get the 403.

I did some searching and did find a couple things. The message is produced by osCommerce if the session id added to the URL does not match the one your own cookie. One suggestion was to make sure Prevent Spider Sessions was set to true although I doubt that would really affect the session id being added to your links. Then again how does your search work? Does it go through Google? I read something in my searches that osCommerce has a module or addon that allows that. Now in that case I could kind of see that if you did not prevent session for spiders that maybe it would pick one up and ad it to a url.

I assume you are using .htaccess to filter everything through the index.php of osCommerce. Is it their default .htaccess or have you perhaps added something else to it like forcing the www to be appended to your domain name.

01-05-2011, 09:08 PM
There is a setting called Force Cookie Use. If you set it to true then it well keep the session id from being added to urls. That might help some especially when you click on a link in the admin for like Who's Online. It might even help with the search box but not sure.

01-10-2011, 04:10 PM
I may have discovered a clue. I got the error today when trying to view my customers orders, so I went to the sessions table in the database and it looked entirely different to every single sessions table also in the database. Any chance it might mean anything?