nopCommerce v2.60 released

loidis wrote:

I am also seeing this. I just upgraded my site Products for Autism (www.productsforautism.com) to v2.6.

a.m. wrote:

Amazon is not vulnerable because they don't send the authentication ticket cookie over HTTP requests.  Whenever you actually go to check out, it forces you to log in again, thus creating a new authentication ticket and transferring it only over HTTPS.  .NET, if not configured correctly, will send the FormsAuthentication ticket cookie over HTTP or HTTPS unless it's set to secure="true".  You can see this on Amazon with Firebug on the Net panel looking at the headers of HTML pages.  Some cookies are missing over HTTP connections.  If you take a look at the cookies sent in the response from an ASP.NET app that uses FormsAuthentication, uses secure=false, and switches between HTTP and HTTPS, the authentication ticket is always passed.  It doesn't matter if the ticket itself is encrypted (which it is in ASP.NET), it can still be replayed with little effort when not sent over HTTPS.

If you use a separate cookie to track whether or not someone is logged in (say just to display their username), you can still set the FormsAuthentication ticket cookie as secure to prevent its transmission over HTTP.  It'll just force users to log in again (ala Amazon) whenever hitting the payment area that requires HTTPS since a new ticket will need to be created.

There's a good MSDN article about this from the ASP.NET 2.0 days. It still applies today and is really not specific to ASP.NET at all, which is why I originally posted the OWASP link.

http://msdn.microsoft.com/en-us/library/ms998310.aspx#paght000012_step3

loidis wrote:
You're absolutely right. Slimbox2 (used to overlay images on top of the current page) didn't work in IE9 because IE does not support "elem.dataset". I've just fixed it (see changeset 593277a2a08a) and upload new packages. So you can manually apply this patch or re-download the package.

msumerano wrote:
I've just tested Amazon site with Fiddler. It does send authentication ticket cookie over HTTP. Right, it forces you to log in again when you go to checkout. But it does not force you to log in again when you go to "my account" page (also HTTPS) after visit of a product details page (HTTP). Session-token and user id in sent cookies are also the same between requests according to Fiddler (after visiting HTTPS and before). Maybe, I'm doing something wrong or missed something. Maybe, they distinguish between sessions and authentication tickets in Amazon.


msumerano wrote:
Thanks for info. But as I've written above some pages in all the previous versions of nopCommerce also always forced to be HTTP. Now we simply added more pages to this list. I'll create a work item and investigate it further. What I can suggest you now is to force nopCommerce to use SSL all over the site:
1. Open the solution
2. Remove all [NopHttpsRequirement(SslRequirement.No)] attributes over the source code
3. Open \Presentation\Nop.Web\Controllers\BaseNopController.cs file and add  [NopHttpsRequirement(SslRequirement.Yes)] attribute to you


UPDATE 1: I've just also found that it's already supported and you already can easily enable it. It's disabled by default because not all store owners have SSL certificate installed:
1. Open Web.config file
2. Find <forms /> element
3. Set its "requireSSL" attribute to "true"
P.S. But WebWorkContext also need some changes to don't use forms authentication ticket for loading a current customer. Otherwise, current customer won't be loaded for non-secured pages. So for now you can use the solution I suggested above (force all pages to be secured)

UPDATE 2: Forget about the changes I've described above. Please see chanegset 5db00c505e9b. So all you need to do is to set 'securitysettings.forcesslforallpages' setting to 'true'

A.M.

You wrote: UPDATE 2: Forget about the changes I've described above. Please see chanegset 5db00c505e9b. So all you need to do is to set 'securitysettings.forcesslforallpages' setting to 'true'


Is the changeset mentioned above included in the download 2.6 version?
Thanks

saintist wrote:
No. You can download the latest version (the next 2.70) here

a.m. wrote:
If I manually redownload the package, can you tell me what specific files this affects so I can just replace those files?

Hi,
Thanks for the release of the new version.
I just downloaded the V2.6 version( with source code ). I was trying to open with VS2010 but couldn't . It was giving some errors.

Is it possible you can provide a video tutorial of around 15 mins

which should show the step:

1)Download the V2.6 with source code.
2)How you can load the whole projects in Visual studio 2010
3) And then compile without any error.

4) Then setup the website in IIS 7.
5) Do some sample edit on the website (i.e logo changes , Currency changes etc )

If I could do this successfully in my end I would have definitely upload this video to the youtube for NopCommerce users.
I am still trying. I was able to use the code without source. But I wanted to use with the source code.

I believe if you can do this that would be really good and just put a link besides your download link of V2.6 .

Once again thanks for nice opensource shopping cart.

Sowel

sowel wrote:

Sowel,
Did you install MVC 3 before attempting to open the project in Visual Studio?

Great, do you think upgrade our current site: http://www.ibagsbuy.com/ to v2.6 would be easy? We currently use v1.9.