Blocked Cookies - Losing Customers

Miva Merchant uses cookies (small files stored on the visitor's computer) for the identification of the visitor and for managing his/her session. When visitor's browser does not accept cookies from your website, the content of the basket may be lost when the customer clicks on the checkout button, opening the session in secure mode (SSL). Such visitors will not be able to complete the payment and will leave the store in most cases without even contacting you.

Browser Cookie Control and P3P

Modern browsers like the MSIE v6, depending on their configuration, automatically turn off cookies on sites that do not declare their privacy policies in so called P3P compact policy in HTTP headers. Declaring the P3P policies in the document or through a XML file is not sufficient, only the coded P3P compact policy is currently being recognized.

To stop losing customers in Miva Merchant due to the lapse of P3P compact headers, the MmP3P module was developed. After installing the module and registering your license key, you can enter your P3P compact policy into its settings, and MmP3P will take care about serving them properly with every Merchant page.

P3P Privacy Policies

The default compact P3P policy of the MmP3P module matches a typical and generic Miva Merchant store, but the definitive setting must be customized to match your real privacy policies about collecting and handling user data and therefore you should generate the P3P policies with the help of one of available services and then enter the code into the MmP3P settings. Detailed information about P3P Privacy Policies, including FAQ, links to P3P validators, generators and consultancy services may be found at the W3C Consortium. Privacy Council is one of the sites offering free automated generator of Compact P3P policies.

PICS Rating Labels

The default label generated by MmP3P at the installation time is appropriate for a website containing no nudity or sexual material, no violence or profanity, no tobacco, drugs, alcohol, gambling, weapon promotion, no material that might disturb young children and no chat. You must enter a self-generated PICS label, or a signed label created by one of available PICS services. The used label must be matching your website and the content of your Miva Merchant store properly. There are many PICS rating services are available on the web. Some of them are listed at the W3C Consortium.

Detailed information about PICS (Platform for Internet Content Selection), including FAQ, links to PICS label validators, generators and consultancy services may be found at the W3C Consortium. A free free PICS Label generator may be found for example at ICRA. Labels generated by human reviewers at other services and securely signed may be valued higher by applications or search engines supporting PICS.

PRO Version

The PRO version of MmP3P additionally allows you to insert additional HTTP headers, DOCTYPE declaration, and/or other text or HTML preceding the default code generated by Miva Merchant

Advanced Access Control (PRO version only)

You can restrict access to Miva Merchant by a wide variety of conditions. You can also deny access to Miva Merchant by default (put "deny all" as the first line in the rules), and allow access only to access attempts matching the following "allow" rules. Normally, the more common rule is allowing access to all ("allow all" at the beginning) except those attempts matching the following "deny" rules.

Rules are processed from the top to the bottom. If an access attempt matches multiple rules, the last one will take effect. Each rule must be on a separate line. You can use a # sign at the beginning of a line to disable it temporarily, instead of deleting.

Available Rule Conditions

IP

Restrict by an IP address or a subnet. Please note that most internet users do not have a fix IP address and hence using this method may prove inefficient. Blocking entire blocks (subnets) may then block more than just the intended user. In contrary, many spiders often use a fix address, so blocking them may be more successful. However, blocking of some spiders may be contra-productive. Use this feature wisely.

allow all
deny IP 123.45.67.89
deny IP 123.45.67.
deny IP 123.45.67.0/18
allow IP 123.45.67.99

callerid

You can also enter a callerid of a user manually. Otherwise this rule works in the same way as the "order" rule described above. Customers may be looked up in the basklist.dbf data file, or in cookie files. You can see your own callerid in the HTTP header - for example using the MmDIAG HTTP header viewer. In this way you can exclude your own browser from otherwise blocked access (i.e. for maintenance):

deny all
allow callerid 2a9618aedf3051b89cbf7bd07dde48d1

deny callerid 2a9618aedf3051b89cbf7bd07dde48d1

time

You can restrict access depending on the day time range (using server based system time!). Please use 24 hours time format.

allow time 7:00 - 18:00
deny time 0:00 - 6:59
deny time 18:00 - 23:59

weekday

Restrict access by week day. Use 3-letter abbreviations. You may put several comma separated abbreviation in a single rule.

deny weekday Sun,Sat
allow weekday Fri,Mon,Tue

date

Access restriction by a date range. Fromat: mm/dd/yy - mm/dd/yy, or mm/dd - mm/dd

deny date 06/01/05 - 08/31/05
allow date 01/01 - 09/30

useragent

browsers and web spiders send an identification string to the server. You can control the access using this ID, blocking so for example certain browser versions or spiders. The string is not case sensitive, and partial matches will trigger the rule too.

deny useragent spambot
deny useragent lynx
allow useragent googlebot

domain

The access may be controlled by partial (ending) or full domain name of the visitor. Please note that some server do not look up the domain name of the visitor. Turning on the dnslookups parameter in Miva Empresa configuration may help in such case (please contact your host or read the documentation at miva.com for details). MmDIAG will show your domain name in the variable "" in the tab "env" if available.

deny domain .gov
allow domain friend.gov
deny domain foobar.com

language

When browsers request a page from the server, they identify language(s) they prefer. You can use this feature for the access control too. Please note that people may have set multiple languages in their browsers according their personal preferences.

deny language cz
deny language en-UK
allow language en

referrer

You can block users coming from certain links, sites or entire domains. Ending partial match will trigger the rule too.

deny referrer competition.com
deny referrer http://www.foobar.com/foo/bar.htm
deny referrer .edu

All rules may be executed conditionally. This may be useful for example when you want to deny or allow access to certain pages only. Any global or system variables may be used in the condition. The number of available variables is too huge and too depending on the specific configuration to list it here. You can refer to Miva Merchant and Miva Script developer documentation for more information, or hire a developer if you are looking for a specific condition. The syntax of the expression follows rules describe in the Mva Script Reference Manual available at miva.com

if (store_code EQ 'MPD') deny useragent google
if (screen EQ 'CTGY') allow useragent hotbot

When access is denied to a specific visitor, by default a page defined in the field "Access denied page" in MmP3P parameter. Instead of it you can also redirect the user to an external URL.

deny IP 123.45.67.89 redirect http://yahoo.com
if (error) deny all redirect http://google.com?q=%error%

Global and system Miva Script variables can be "tokenized" by enclosing them into a %-sign pair, removing the scope. The tokens will be then replaced by the value of the respective variable.

Please note that processing the rules costs CPU time, so do not make the rule list too huge if you experience performance problems. Some of the control may be done more efficiently through similar rules in web server's configuration (i.e. .htaccess with Apache web server - please visit apache.org for more details). Also turning on dnslookups may slightly slow down the server.

Please be sure to carefully test the rules in your store front after each modification, to avoid unexpected results caused by logically wrong or mistyped rules.

Compatibility

MmP3P may be used on both Windows and Unix servers. It is available only for compiled Miva Merchant v4.14 and above and the latest Miva Empresa engine is highly recommended.

Installation

Installation of the module is trivial through the standard Miva Merchant Admin interface and does not require any coding, nor additional modules. Additionally, like with every compiled module from truXoft, upon the installation of MmP3P, you will be able to use free or demo versions of all other available truXoft modules. Most of them have the same functionality as their full versions, but limited customizability through settings.

Support Policy