Does anyone know how to set a cooking and call it in miva script?

How about a session variable?

Thanks,

Zack

There is the htscallerid or whatever it is called that is stored in the cookie that is placed on your PC when you access Miva based (scripted web pages). You can access its value in a Miva script like so:

<MvEVAL EXPR="{s.callerid}">

What you would see on the page that is returned in this case is something that looks like this:

d87x4c2004f2154735fb8ef17d6eds74

So, basically in a Miva script you can read this value from the user's PC -- store it within a database, and then look it up any time you need to identify a specific user.

I found some miva docs that say to set a cookie via a meta tag. Does any know if u can call this cookie via the above script? I'll do some testing tomarrow.

Second part. If miva merchant is able to set a coookie then we should be able to as well using miva script (assuming they are setting it server side)?

Zack

I found some miva docs that say to set a cookie via a meta tag. Does any know if u can call this cookie via the above script? I'll do some testing tomarrow.

Second part. If miva merchant is able to set a coookie then we should be able to as well using miva script (assuming they are setting it server side)?

Zack

hi Zack,

A small function to set your own cookies is this:


<MvFUNCTION NAME = "set_cookie" PARAMETERS="name,value,expires,path,domain,secure" STANDARDOUTPUTLEVEL = "html,text,compresswhitespace">
<MvASSIGN NAME="l.q" VALUE="{asciichar(34)}">
<MvIF EXPRESSION="{l.expires}">
<MvASSIGN NAME="l.week" VALUE="Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Sa turday">
<MvASSIGN NAME="l.month" VALUE="Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec">
<MvASSIGN NAME="l.expires" VALUE="{'; expires=' $ gettoken(l.week,'|',time_t_dayofweek(l.expires, 0)) $ ', ' $ time_t_dayofmonth(l.expires, 0) $ '-' $ gettoken(l.month,'|',time_t_month(l.expires, 0)) $ '-' $ time_t_year(l.expires, 0) $ ' ' $ padl(time_t_hour(l.expires, 0), 2, 0) $ ':' $ padl(time_t_min(l.expires, 0), 2, 0) $ ':' $ padl(time_t_sec(l.expires, 0), 2, 0) $ ' GMT'}">
</MvIF>

<MvIF EXPRESSION="{l.path}">
<MvASSIGN NAME="l.path" VALUE="{'; path='$l.path}">
<MvELSE>
<MvASSIGN NAME="l.path" VALUE="; path=/">
</MvIF>

<MvIF EXPRESSION="{l.domain}">
<MvASSIGN NAME="l.domain" VALUE="{'; domain='$l.domain}">
<MvELSE>
<MvASSIGN NAME="l.domain" VALUE="">
</MvIF>

<MvIF EXPRESSION="{l.secure}">
<MvASSIGN NAME="l.secure" VALUE="; 1">
<MvELSE>
<MvASSIGN NAME="l.secure" VALUE="">
</MvIF>
<MvFUNCTIONRETURN VALUE="{asciichar(60) $ 'meta http-equiv=' $ l.q $ 'Set-Cookie' $ l.q $ ' content=' $ l.q $ encodeattribute(l.name) $ '=' $ encodeattribute(l.value) $ l.expires $ l.path $ l.domain $ l.secure $ l.q $ asciichar(62)}">
</MvFUNCTION>


To get a cookie, you can use

<MvFUNCTION NAME = "get_cookie" PARAMETERS="find" STANDARDOUTPUTLEVEL = "html,text,compresswhitespace">
<MvIF EXPRESSION="{s.http_cookie}">
<MvASSIGN NAME="l.pos" VALUE="{1}">
<MvASSIGN NAME="l.cookie" VALUE="{gettoken(s.http_cookie, ';', l.pos)}">
<MvWHILE EXPRESSION="{l.cookie}">
<MvASSIGN NAME="l.name" VALUE="{decodeattribute(ltrim(gettoken(l.cookie, '=', 1)))}">
<MvASSIGN NAME="l.value" VALUE="{decodeattribute(gettoken(l.cookie, '=', 2))}">
<MvIF EXPRESSION="{l.find}">
<MvIF EXPRESSION="{tolower(l.find) EQ tolower(l.name)}">
<MvASSIGN NAME="l.return" VALUE="{l.value}">
<MvWHILESTOP>
</MvIF>
<MvELSE>
<MvASSIGN NAME="{ 'g.'$l.name }" VALUE="{ l.value }">
<MvASSIGN NAME="l.return" VALUE="{1}">
</MvIF>
<MvASSIGN NAME="l.pos" VALUE="{l.pos+1}">
<MvASSIGN NAME="l.cookie" VALUE="{gettoken(http_cookie, ';', l.pos)}">
</MvWHILE>
</MvIF>

<MvFUNCTIONRETURN VALUE="{l.return}">
</MvFUNCTION>

(Both are very old Mivascripts from some libraries, than an old veteran - whose name I forgot, sorry! - published some 8 years ago. I ported them to v4).

Markus

Wow, cool this looks like some great info.
I'll test this out in miva 5.5 and let you all know how it goes :)...

Thanks

Zack

PS thanks mvmarkus!!!

Markus,

In the function to set the cookie secure, does the script need to be a https? What happens if it is not? Does it not set the cookie if it is http?

Zack,

If you already have the Emporium Plus Tool Kit you can set and read cookies without having to write a module. The only thing I don't follow is the use of the secure parameter and when you can use it. As I understand it, in the near future Miva Merchant will set the cookie as secure in order to maintain PCI compliance IAW with McAfee's security checks. So this little exercise does not use a secure flag but I assume could easily be modified in the meta tag to do so. If someone has an example of that and can explain the secure flag, please do.


SET THE COOKIE

<mvt:item name="toolkit" param="set_time_zone|new_time|720" />
<mvt:item name="toolkit" param="time_t_dayofweek|ndayofweek|new_time" />
<mvt:item name="toolkit" param="sassign|days|Sunday#Monday#Tuesday#Wednesday#Thurs day#Friday#Saturday" />
<mvt:item name="toolkit" param="vgettoken|days,#,ndayofweek|cday" />
<mvt:item name="toolkit" param="time_t_dayofmonth|ndayofmonth|new_time" />
<mvt:item name="toolkit" param="padl|cdom|ndayofmonth|2|0" />
<mvt:item name="toolkit" param="sassign|months|Jan#Feb#Mar#Apr#May#Jun#Jul#Aug#Sep #Oct#Nov#Dec" />
<mvt:item name="toolkit" param="time_t_month|nmonth|new_time" />
<mvt:item name="toolkit" param="vgettoken|months,#,nmonth|cmonth" />
<mvt:item name="toolkit" param="time_t_year|nyear|new_time" />
<mvt:item name="toolkit" param="padl|cyear|nyear|2|0" />
<mvt:if expr="NOT ISNULL g.customer:bill_fname">
<META HTTP-EQUIV="Set-Cookie"
CONTENT="first=&mvt:global:customer:bill_fname;;expires=&mvt:global:cday;, &mvt:global:cdom;-&mvt:global:cmonth;-&mvt:global:cyear; 23:59:59 GMT; path=/">
</mvt:if>
<mvt:if expr="NOT ISNULL g.customer:bill_lname">
<META HTTP-EQUIV="Set-Cookie"
CONTENT="last=&mvt:global:customer:bill_lname;;expires=&mvt:global:cday;, &mvt:global:cdom;-&mvt:global:cmonth;-&mvt:global:cyear; 23:59:59 GMT; path=/">
</mvt:if>

READ THE COOKIE

<mvt:item name="toolkit" param="vacreate|cookies|s.http_cookie|;" />
<mvt:if expr="NOT ISNULL l.settings:cookies">
<mvt:foreach iterator="cookie" array="cookies">
<br>Name:
<mvt:item name="toolkit" param="gettoken|l.all_settings:cookie,=,1|name" />
&mvt:global:name;
&nbsp;&nbsp;
Value:
<mvt:item name="toolkit" param="gettoken|l.all_settings:cookie,=,2|value" />
&mvt:global:value;
</mvt:foreach>
</mvt:if>


This example sets the cookie to expire 30 days from now (720 hours). If the customer is logged in it saves the first name to first and last name to last. The second part of the example puts the cookie into an array which you can process/display using store morph code. Hence you can lookup the name and welcome the customer back way out in the future, even if they are not logged in when they return. You would not want to automatically log someone back in as that would be a security issue. But welcoming them back like Amazon and others do would be a nice compliment to your store.

A quick note on the above example. Instead of using &mvt to set and display the cookie, use &mvte because you don't know what kind of text a customer might put in those fields. You will want to sanitize the input.

That works like a charm... Thx again BIll..

I do have one question.

It seems I'm having trouble with the gettoken. I read that its supposed to save this this part as g.name:

<mvt:item name="toolkit" param="gettoken|l.all_settings:cookie,=,1|name" />

But, for some reason it doesn't save it, but it does output the variable (example below). Do I need to update my toolkit version (5.0370)?

Also this does the same for "value"

Example:
This code....
[<mvt:item name="toolkit" param="gettoken|l.all_settings:cookie,=,1|name" /> ] - {&mvte:global:name;}
Outputs...
[ htscallerid ] - {}

Thx.

You probably need an updated tool kit. If you don't see that example in the admin screen of your version, your version is too old. That 3rd parameter of the gettoken was added Apr 5, 2008, version 5.043 of the tool kit.

Are there instructions somewhere that details how to update this module?

Thx

Zack

PS Our site was originally implemented by someone else and I have yet to install/update a module. :)

You get the update from the store you got the original from. You will need your order number when you go to that store. If you got it from Emporium Plus, use the question link in my sig below.

Bill,
I actually just bought it from you store and received a zip file with the .mvc file (wasn't worth tracking down the developer and getting the order number....).

I see intial setup instructions, but I'm not sure I should do all that(?). Can I just upload the new file in via the admin area?

Thx

Zack

Updating from one version of a Merchant 5.x module to a newer version:
You make module updates by selecting admin > global settings > modules (or admin > modules if your version is older than 5.5). Then in the right screen input, search on the module code. I named my modules so the module code is the first part of the module name (less the .mvc). For example, toolkit.mvc would have a module code of toolkit Next, click the edit button to the right of the module listing. Run the file upload, making sure to check the box for overwrite. Then click the Update.

It seems it didn't like the license?

Should I delete the module and start on a fresh install or is there a way to plug in the license?

THx

Zack

Runtime error in /merchant2/5.00/modules/util/toolkit.mvc @ [00000005:00000030]: Line 335: MvOPENVIEW: mysql_stmt_prepare: Table 'bagselect_mm5.cim_license' doesn't exist Runtime error in /merchant2/5.00/modules/util/toolkit.mvc @ [00000005:00000104]: Line 343: MvCLOSEVIEW: Database 'Merchant' has no view named 'CIM_License'

Never unassign. You would lose all the work you have done with it in the past. Look at the module's admin screen. What do you see?

just sent a request for a license key :) via the link in toolkit admin area, that redirected to a prefilled form.

Zack

i see this: http://www.bagselect.com/images/whatisee.gif

Please continue support questions through my support system. I'll probably need your login info and you would not want to give that in this forum.

Markus,

In the function to set the cookie secure, does the script need to be a https? What happens if it is not? Does it not set the cookie if it is http?

Hi Bill,

No, actually it means that only secure environments can access this cookie. It'll set it anyway, even when the transmission is not via SSL, however my guess is that it is more a question into what security zone the website falls in the client's browser (Trusted, mixed, internet....). So when set to secure, it's only read when it's in a trusted zone.

Well, at least that is how I understand it. (Correct me if I am wrong....)

Markus

So that won't solve the PCI issue that Miva is working on. I guess you should only set the cookie if https is in the documenturl variable. That is easily done with another conditional. I haven't tested but something like
<mvt:if expr="g.basket:cust_id GT 0 AND 'https' CIN s.documenturl">
set the cookie
</mvt:if>
Perhaps a Miva engineer could chime in since they have been working on this issue with empresa 5.07. Hello Miva!

Here's a question about cookies and security. Can the cookies.txt file (or whatever it is called with the various browsers) be edited and the value of a cookie changed?

Bill,

I've asked Mark to chime in on this today.

Here's a question about cookies and security. Can the cookies.txt file (or whatever it is called with the various browsers) be edited and the value of a cookie changed?

Hi Bill,

Yes, of course. That is why Javascript-based shopping carts that use cookies to handle the checkout process (storing ordering information and costs over several screens) are so easy to manipulate.

Cookies are really only good for saving the session id (that still needs to be compared to a session id stored in a database) and for those kind of session specific information that is not security-relevant (like temporary layout settings).

The session id is not a huge security risk as it is usually very difficult to guess. However, a while ago a DNS vulnerability surfaced where session cookies could be hijacked and misused in other domains. I don't recall the details, maybe someone else can chime in on this. This problem though is nothing we can easily avoid, since it is on a much broader/deeper level of the Internet Infrastructure.

Markus

It sounds to me like all the questions in this thread have been answered so I'll just add this clarification. The 5.07 engine currently under development will have a new configuration option. When that option is set the engine will add the secure flag to the cookies it generates.

Then it is correct that it can only be read in a secure environment?

Mark,

I answered my own question. If you set the cookie secure, then the url has to be https in order to read that cookie.

So that brings up this question. How is Merchant going to read the htscallerid when Merchant is usually accessed non-secure upon entry to the site? Aren't you reading that cookie to create the session_id variable which is then stored in the baskets database? Or is the methodology going to change? If that methodology changes we need to know that as many 3rd party modules could be effected.

Looks like the secure flag will come in handy.

http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/

Looks like a cookie like first name would not be an issue since that doesn't keep you logged in. But a cookie like htscallerid is an issue since that is the tie-in to your basket. Your basket contains the cust_id which is your account. While they can get your name, address, etc, they could not get your financials unless you have a module that is saving credit card info with your account.

I had experimented with using the cookie as a "remember me" type scenario but that can't be done unless it is done on only secure pages, which would not be just any landing page in your store.

Looks like the htscallerid needs to be a secure cookie. So how do we retrieve that on a non-secure page in order to open a new basket and insert the basket:session_id?

has any progress been made on this? I too want to use the session to control a php gui that is on my website front end.