ShopSite Forums

[nacd_webmaster]

Hello. I am new to the forum and did not find this answer in the FAQ section. I am also new to Shopsite, having just assumed my role as the new webmaster for my organization. We are using Shopsite Pro, v10 R7.4.

Question 1: The Intruder Detection system maintains a list of "trusted computers" (basically, just the WAN IP and the cookie serial #). I see three of them in my list. None are mine (I do see my own WAN IP in the "View Log" ). I also see the button to "remove" entries from that list. What I don't see how an IP is "added" to the "trusted computer" list. Can anyone explain how to "add" an IP to that list, if it is possible to add one manually?

Thanks much.

[ShopSite Lauren]

Most merchants don't know that information on their computer, so ShopSite does not require that you add new computers. ShopSite recognizes what computer you regularly log in from. If you log in from a different computer, then you will get the notice that there is an unknown IP address that accessed your orders the next time you log in from your regular computer. So for the current trusted IPs, if they login, they will get a notice that you, and unknown IP has logged in and will need to be approved. If you remove the other trusted computers, then your computer will be the main computer for future 'new'/'untrusted' computers.

[nacd_webmaster]

Most merchants don't know that information on their computer, so ShopSite does not require that you add new computers. ShopSite recognizes what computer you regularly log in from. If you log in from a different computer, then you will get the notice that there is an unknown IP address that accessed your orders the next time you log in from your regular computer. So for the current trusted IPs, if they login, they will get a notice that you, and unknown IP has logged in and will need to be approved. If you remove the other trusted computers, then your computer will be the main computer for future 'new'/'untrusted' computers.

I appreciate your response, but you didn't answer my question. Perhaps, I should clarify. I'm the webmaster/administrator for my client's website. I'm also an IT consultant/professional with over 25+ years of experience. So yes, I do know. Shopsite doesn't know my "computer," but it knows the external WAN IP address my computer uses. It may also know the serial number of the cookie it attempts to place on the computer.

My question is, how does Shopsite determine that a given IP/cookie is "trusted," and what mechanism adds that IP/cookie to the "trusted" list? After several sessions on Shopsite (where I've added products, changed layouts, published the changes, reviewed orders, changed the store's configuration, etc.), my WAN IP/Cookie serial # does not yet appear on the "trusted" list.

You mentioned "Log in to Shopsite" above. Perhaps, the problem is that I do not "log in" to Shopsite directly, as would a merchant checking orders. I access Shopsite via my web host provider's master administrator account. I just click the Shopsite button on my host provider's control panel, and I'm in. So, is it a possibility that because I don't login to Shopsite directly, it's not making a determination that my IP is "trusted," and therefore, not adding it to the "trusted" list?

You also mentioned that Shopsite sends an "alert" if the combination of WAN IP and cookie serial number is new/unknown. Can you please tell me to where that alert is sent, and how I can specify (in my store configuration) where it should be sent, since I'm not receiving them, presently.

I don't mean to be a pain about this, but for the security/safety of my client, I need to know how this is done.

Thanks again.

[Jim]

When a "non Trusted" computer access the orders areas of the backoffice the merchant will receive a notice when they login and go to the Orders screen. At that time they can add the computer to the trusted list.

Any emails that ShopSite sends for a particular store are sent to the Merchant e-mail address: configured on the Preferences > Hosting Services screen.

Here is a sample of what the merchant would see after logging in and going to the Orders screen, if a non trusted computer accessed the orders.

Warning: your orders were last accessed from a different computer. The Details are:
Server Date/Time: Mon, 26-Mar-2012 15:58:10 MST
From Internet IP: 10.1.245.18
Domain: Not Determined
ShopSite ID: 248431332802676
Last Action: Order Screen

Note the current Server Date/Time is: Mon, 26-Mar-2012 15:58:17 MST

If the last access was from another computer used by you or a co-worker and you no longer want to be alerted about access from that machine click this button

If you are not sure who last accessed your orders you should immediately change your password

Click on the Security button below for more information about this feature and about recent access to your orders.

I did not receive an email that the access had been made but did see it when I logged in to view orders.

[nacd_webmaster]

When a "non Trusted" computer access the orders areas of the backoffice the merchant will receive a notice when they login and go to the Orders screen. At that time they can add the computer to the trusted list.

Jim - Many thanks for your detailed response. I'm a lot closer to understanding all this. Just to clarify, does the merchant receive this notice only when logging into the back office and going to the orders screen, or is it also sent to the "merchant e-mail address" on file, upon each detection?

Point being, I've accessed orders several times from the back office, but I've never seen such an alert. It should have alerted at least once, upon my first access, since it did not yet know me. It did not. I have a theory as to why. Since I, as webmaster, can log in via my host provider's master account and go directly to Shopsite via push of a button on my "webmaster control panel" (unlike a merchant who would log in directly to the site), I gather it may automatically accept anyone coming from that direction vs. a direct login. Plausible?

Any emails that ShopSite sends for a particular store are sent to the Merchant e-mail address: configured on the Preferences > Hosting Services screen.

And also to anyone in the CC: list on that same panel, correct? In our case, the "merchant e-mail" address belongs to the person who fulfills/ships the orders, and not to the webmaster/site administrator. Historically, that person never actually used the back office to fulfill the orders but relied solely on the e-mails sent to the "merchant e-mail address." It was the webmaster's (now me) responsibility to add/delete products, pages, etc. and "publish" the site.

Our problem is complicated further by the fact that we underwent a recent personnel change in re: the "merchant" position, but the emails still point to the old merchant's address. The new "merchant" is on the "cc:" list, along with myself. Is it the case, then that some e-mails (e.g. the "non trusted" alerts), go only to the merchant e-mail address and are not cc:'ed? If not, then that merchant e-mail address will be changed immediately. It's not a security issue at present, however.

Again, many thanks for your help. I'll get there.

[Jim]

I never received an email when I got the message in the backoffice Orders screen that the orders had been accessed by a non-trusted computer. I'm not sure that one is sent in that particular case. I did not add the new site to the trusted list I'll try that tomorrow when I'm back in the office and see if I get an email that someone was added to the trusted list, an email may be sent at that time.

I believe the CC list is only copied on orders, not on other email notices sent to the merchant email address. To test this I added a couple of CC email addresses. I then changed the merchant email address. I received emails saying the merchant email address had been changed on both the old and new merchant email addresses but not on any of the CC email addresses. So you should change the merchant email address to whoever has the main responsibility for the store.

What version of ShopSite is the store running? That might make a difference on some of the alerts that are sent/displayed.

If the store is using ShopSite 11 is it using the new ShopSite login and the roles feature or is still using webserver authentication login?

With the ShopSite login added in version 11 and with roles enabled it is possible to create separate logins for each individual and set what areas of the store may be accessed by them. There are 5 User Roles available :Administrator ,Order Processing, Order Fulfillment, Content Management, Reports. Administrator can do anything in the store. Order Processing can view orders and payment info. Order Fulfillment can see order packing slip info but not the payment info, Content Management can add pages, products, publish etc. Reports can see the reports for the store. A user can be created to have any of the roles or a combination of them. So it is much more secure and you would have less of a problem with non-trusted users accessing orders because they can't see them unless they have the login for Administrator or Order Processing. So if the store is not running ShopSite 11 I would recommend that you upgrade to the latest version.

[nacd_webmaster]

I never received an email when I got the message in the backoffice Orders screen that the orders had been accessed by a non-trusted computer. I'm not sure that one is sent in that particular case. I did not add the new site to the trusted list I'll try that tomorrow when I'm back in the office and see if I get an email that someone was added to the trusted list, an email may be sent at that time.

I believe the CC list is only copied on orders, not on other email notices sent to the merchant email address. To test this I added a couple of CC email addresses. I then changed the merchant email address. I received emails saying the merchant email address had been changed on both the old and new merchant email addresses but not on any of the CC email addresses. So you should change the merchant email address to whoever has the main responsibility for the store.

Unfortunately, no one person has "main responsibility" in that respect. I'm the person that keeps the store updated with products, etc., and the person (overall) in charge of administration/security for the site, but it's someone else that fulfills the orders, since the warehouse logistics/operation is based in a different part of the country than where I'm located. I think our management will have to decide which role has the greater need for that "merchant email" designation. As long as the "order processor" can fulfill/ship orders based on the order e-mails received, then I'll take the main/merchant e-mail address. But that's not entirely my decision.

What version of ShopSite is the store running? That might make a difference on some of the alerts that are sent/displayed.

If the store is using ShopSite 11 is it using the new ShopSite login and the roles feature or is still using webserver authentication login?

With the ShopSite login added in version 11 and with roles enabled it is possible to create separate logins for each individual and set what areas of the store may be accessed by them. There are 5 User Roles available :Administrator ,Order Processing, Order Fulfillment, Content Management, Reports. Administrator can do anything in the store. Order Processing can view orders and payment info. Order Fulfillment can see order packing slip info but not the payment info, Content Management can add pages, products, publish etc. Reports can see the reports for the store. A user can be created to have any of the roles or a combination of them. So it is much more secure and you would have less of a problem with non-trusted users accessing orders because they can't see them unless they have the login for Administrator or Order Processing. So if the store is not running ShopSite 11 I would recommend that you upgrade to the latest version.

I will consider that. We are running ver 10 R 7.4, which is what is offered by our host provider. I will see if they are ready to offer V 11, especially since it seems the new "roles" options would be ideal for our situation. For now, I will have to hope that changing the designated "merchant email" address will help resolve most of the issues.

Thanks again, very much.