ShopSite Forums

[bkerns]

Is there a way to configure order anywhere products are added to the cart from ONLY the same domain as order.cgi or is that a server configuration? I am trying to avoid posts to the order.cgi from an unknown origin.

-Brian

[Jim]

I'm not sure why you would be asking this, but as the name implies Order Anywhere links are designed so that they can add a product to the shopping cart of the store from anywhere. They could be put in an email, attached to a banner graphic on some site, or placed on pages at the same domain where order.cgi is hosted. You as the store owner are the one that determines where the links are put. So as long as you just put them on your store pages at the same domain as where order.cgi is hosted then that is the only place that a shopper can use them to order something.

That being said, some hosting companies install ShopSite stores on shared servers, so hundreds of stores are using the same server, and in that case they may configure it so that instead of a url for the order anywhere links like http://mydomain.com/sc/order.cgi the links end up being like http://yourstorename.hostname.com/sc/order.cgi. This allows the host to have a single secure certificate that they can share with a large number of stores.

If this is the way your add to cart links appear you could check with your host to see if they can reconfigure it so that it just uses your domain name. Some hosts will allow you to move your store to a separate server where they install ShopSite stores in their own directory so the domain name carries right through to the shopping cart and checkout screens. In these cases you will need to purchase your own secure certificate instead of using the hosting companies shared certificate.

In most cases it is the very low end (cheap) hosting companies that install stores in the shared cgi manner and they make their money on volume with little service help. The higher end hosting companies almost always install each store in its own virtual server (or actual server) and they make their money by charging a slightly higher price but providing better service.

[bkerns]

I am using ShopSite's variable pricing but I would like to make sure the price is coming only from the same domain that the cart is on. This would defeat downloaded and manipulated copies of the page from being posted.

Order Anywhere is a great feature as it allows the definition of the input to order.cgi from externally or highly customized forms via a simple post. Implementing this feature has been the only way I can work around getting a product that is variable in price, description, and contain a lot of extra fields via finopt options. This is my dev page: http://www.intint.com/shop/DevShowCalculator.html It is an edited output from a single ShopSite template. The breed, and classes dropdown options as well as the the initial prices will be populated from the product fields, the AKC registration data is pulled via external cgi and is parsed into the form via returned JSON string and JQuery. The price is determined by the state of the Classes dropdowns (options) and the number of dates, it calculates for 2nd entries discount, ala cart pricing i.e. Sweepstakes etc. It's all very complicated and makes my brain squirm.

I understand the true intent of Order Anywhere is to allow cross domain posts to order.cgi, but it would also be nice to be able to limit the domain to the same origin, then it could be called either "Order Here" or "Order Anywhere" depending how it is configured. I am wondering if this may be a configuration of the web server or maybe the content type but I was hoping ShopSite had a feature somewhere that is being illusive to me.

Thanks for helping, greatly appreciated.
-Brian

[robm]

Brian,

If you use an Apache webserver for hosting, you could try this code in your .htaccess file:

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule order\.cgi$ - [F]

That may stop people from calling order.cgi from outside of your domain name. Make sure you fully test it though, as it could cause other issues.

Rob

[bkerns]

That is a great idea! It never occurred to me to use rewrite to check if the environment variable for referrer contains the domain when loading up the URL containing order.cgi. You could also allow other specific domains in that way too like a subnet or an affiliate. Cool!

I use rewrite to make sure www is always used, can't believe I didn't think of this.

That is one of the best answers I have ever gotten from a message board.

Thanks!

-Brian