Kryptronic eCommerce Software Update: 9.0.2

An update was released today, October 3, 2017, for Kryptronic eCommerce software version 9. Installation of this update will increase your software version to 9.0.2. This update is intended for all clients running Kryptronic eCommerce software versions 9.0.0 through 9.0.1. This update has been superceded by Kryptronic eCommerce software update 9.0.3, released on January 31, 2019.

This update has been superceded by update 9.0.3. Follow the link below for more information on upgrading to version 9.0.3.

View Kryptronic eCommerce software update 9.0.3 to continue.

Client Upgrade/Update Notice: All clients are highly encouraged to upgrade/update to this software version to make use of new SEO and security enhancements.

Items Added/Changed In This Update

Single system URL implemented. SSL recommended (Security and SEO), without 'www' prefix recommended (SEO).

All session logic updated as well as user session logic. These changes better secure the system, make it work better with the change to using a single URL (SSL) for all content, and avoid all issues with Chrome browser as seen over the past few weeks. At this point session logic is handled by cookies and all form-based and URL-based session tracking has been removed. User accounts now have dedicated session information stored in the core_users table. Login and logout is achieved by creating and setting a token in a cookie named 'ktokenuser'. This cookie is rotated every 15 minutes for security purposes, and is good for the length of the browser session. Guests are tracked using a cookie named 'ktokensess' which is only created/set when necessary, persists for 30 days and rotates every 1 day to keep it fresh. Typical guest sessions are created at the point when items are added to the cart or personal information has been submitted. These changes play hand-in-hand with migration to a single-URL format, using SSL and staying ahead of requirements forthcoming from PCI. These changes also provide better/wider support for modern browsers and decrease security concerns as related to documented session-based exploits.

Robot recognition has become part of the Display module, removed from the Session module. It's used only to prevent no-cache headers and cookie headers from being sent to robots at this point.

Rebates changed to display as negative amount on Shopping Cart page.

Short descriptions added for usage in default Standard Category Views for categories. Added short description, special offers short description addition, and multisite overrides 1 and 2.

Short descriptions added for usage in default Standard Category Views for manufacturers. Added short description, and multisite overrides 1 and 2.

Removed show_currency option from users table and offloaded to new cookie-based value set when the currency conversion page is accessed.

Removed session storage for breadcrumbs, emailistpop, sorting, searches and filters. Offloaded from using a session to using individual cookies.

SSL Always On option removed, now SSL is always on if the installation URL begins with 'https'.

Added nofollow tags to stock notification links and review links.

Modified volume pricing logic to better handle displays for quantity ranges.

Modified modal logic to not close modals on unfocus() if they contain a form. Newer iphones implement focus() on the keyboard causing issues, hence the change.

Purchase orders now require selection of both terms and delivery method in order to create a new PO. They are no longer pre-loaded with defaults.

Vendor MPNs and descriptions are now used as the main display criteria for Purchase Order mail messages, which are sent to vendors.

Skin widgets modified to produce links only after the widget is verified to produce content. This speeds up load times by reducing SQL calls for widgets not being loaded.

Bulk pricing editor extension module modified to sort by and show inventory item identifiers as the main identifier in listings.

Customer viewer and POS altered to produce scrolling lists for long address books. Customer viewer update to produce cleaner displays.

All class object calls within includes were normalized to use the format $CLASSNAME, although $this->CLASSNAME is still acceptable. Done for consistency.

Point of Sale extension module heavily modified to make use of the new session logic and to reduce load substantially.

Robot simulation previously handled by the App class is now called Guest simulation and is handled by the Session class.

New inventory checker script included and set to run via cron every hour. Auto-corrects any issues with inventory on sales order or batched for shipping by comparing orders to inventory and making adjustments. Necessary to combat delayed user edits which occur after batch shipping updates are made.

Removed sessionid from orders table.

Added Tax Nexus setting, default is off. When on, tax is charged for taxable locations regardless of ship origin.

Modified inventory controls processing to ensure sales order inventory is properly handled when inventory has not yet been processed for an order.

Modified target results namespace for Order Manager Ship Items and Order Manager Service Items to target the Ship Items or Service Items interface after an order is updated and completed. Allows for quicker processing of the next order.

Modified purchase order inventory predictor to account better for future orders.

Added suppress logo option for purchase order mail messages.

Modified eBay and Amazon channels to use SSL URLs as part of single URL change. Modified Amazon image URL handling logic.

Batch Shipping Manager modified to sort items within orders based on inventory identifier ascending, then by item quantity descending. This will result in larger quantities being batched before smaller ones in the event stock is out on part of an order.

Maximum package weight for FedEx residential/commercial comparison set to independent value from the global max package weight setting. Hard value set to 70 pounds.

Customer viewer extension module updated to list all orders, including future orders, by date descending.

Check for future order status modified in the Inventory Inspector extension module to provide more reliable results.

QuickBooks Web Connector extension module modified to order purchase orders by date, and order inventory items within purchase orders by inventory item identifier. Ref Number for purchase orders is now exported when the purchase order identifier is 11 characters or less.

Guided Database and Raw Database navigation updated to show results and pagination on top of results in addition to the bottom.

All port recognition functionality was removed with the exception of a single match against the port being used to verify it contains 443 if the URL accessed is supposed to be delivered via SSL.

Modified handling of JavaScript Footer global to append any existing value to the values created for it during JSLib processing. Ensures any included custom footer code is executed after any required libraries.

Standard (non-user) session storage time is now set to a hard 30 days, with session refresh once every day.

Older functionality to combat safe_mode, register_globals and magic_quotes has been removed as those insecure features are now considered non-standard and non-default and have been deprecated from PHP 5.3 and higher.

Statistical logging further optimized to provide less of a database hit.

RequestURI building and handling significantly changed and leveraged for canonical URL building.

BaseURL moved from global and Display class variable status to global only.

Added Offer Level Free Gift Certificate Promo, give away gift certificates with offer purchases.

Added banner ad placement functionality to order confirmation page.

Added XHTML header functionality for the Special Offers page to enable freeform marketing or video inclusion.

Added additional category display functionality to categories. Allows for display of additional categories in either standard grid or feature grid with offers format.

Reduced timeout for remote connections to UPS, USPS and FedEx for rates, tracking and address verification from 25 seconds (default) to 8 seconds.

Added Articles extension module. This is a Content Management System module. Provides functionality similar to Wordpress, but seriously augmented from an integration and SEO perspective. Provides paginated category and article listings, searches, displaying related online store products in articles, displaying related articles, embedded video lead in, RSS feed syndication, supports banner advertisements, provides recent articles widget, article categories widget, breadcrumb navigation widget, namespace for including a feed in an HTML page or other area, social media share controls, custom headers and footers, thumbnail and image stash controls, full SEO and meta information including SEO URLs, multisite and user visibility controls, supports MicroData extension module, article featured list controls, and full integrated display controls.

Disabled CSS and JS versioning in URLs when accessed by bots.

Changed SEOURL for Overpayment item (Extension module POS).

Disabled indexing for all marketing email list namespaces.

Reordered items in invoices by: Manufacturer ASC, Inventory ID ASC, Offer ID ASC, Order Item ID ASC (was Order Item ID ASC only)

Added article (extension module) inclusion in footer area of special offers page.

Added referrer (as 'Source') to backend order summaries and internal mail messages.

Added shipping memo support to orders, with prefill text global, and the ability to add a memo to the shipping total display from the increase shipping total interface.

Added helper for QuickBooks Web Connector extension module which allows reset of the connection in the event it has to run more than once in an hour.

Added functionality to recalculate inventory item cost for orders when orders are completed (fully shipped) to ensure cost data matches the inventory that was shipped as closely as possible.

Added payment card token functionality to allow card storage with online processors. Planned integrations with CIM and SagePay Token.

Added payment gateway integration for CIM (customer information manager, payment card storage via profiles). Optional custom controlled storage option added.

Dropship purchase orders now have the option to use the order shipping method as the shipping method for the purchase order.

Support for date-based terms (in addition to the payment terms list) added with option to recalculate terms as date-based upon order completion for 'Net' type terms.

Inventory controls in the order manager were updated to highlight items out of stock.

Credit card type is now stored for credit card refunds, if the source payment was a credit card payment with card type designated.

Support for limiting payment terms listings added. Controls added to limit the list for orders and for purchase orders.

Added support for partially receiving items on dropship purchase orders in the event the vendor does not ship all items requested.

Added support for delayed windowload javascript processing to avoid errors during Ajax requests with third party scripts that return images (some anti-virus conflicts). These scripts, for example Listrak, were de-prioritized and now have delayed execution.

Modified all meta and microdata handling for categories, manufacturers and articles to use the short description, if present, if the meta description is blank.

Modified all category, manufacturer, article and product displays to make use of paragraph tags instead of division tags wherever possible, for SEO purposes.

Base class for GoogleBase modified from CORE_App to ECOM. Change has no current impact.

Security Modification: Password resets are now handled by sending a link to the requesting account holder. Upon accessing that link, the user is able to select a new password and confirm it, then is prompted to login with their new password. Previous methodology sent a new password to the account holder via email. Password change links persist for 15 minutes, and are valid for 1 hour.

Security Enhancement: Added strong password protection, selectable (Disabled, Enabled) for user groups. If enabled, passwords must be at least 10 characters in length, and contain at least one uppercase letter, at least one lowercase letter and at least one number. All BackEnd user groups have this option enabled by default, all other groups have this option disabled by default.

Security Enhancement: Added repeat password protection, selectable (Disabled, 1-10) for user groups. If enabled, new passwords cannot match a set number of recently used passwords. All BackEnd user groups have this option enabled by default and the value is set to the Last 4 Passwords, all other groups have this option disabled by default.

Security Enhancement: Added password expiration protection, selectable (Disabled, 30/60/90/120 Days) for user groups. If enabled, passwords expire after a set number of days. All BackEnd user groups have this option enabled by default and the value is set to 90 Days, all other groups have this option disabled by default.

Security Enhancement: Added account lockout protection, selectable (Disabled, 1-10) for user groups. If enabled, accounts are locked out and unable to login for 15 minutes once a set number of failed login attempts has been made. All BackEnd user groups have this option enabled by default and the value is set to 3 Failed Login Attempts, all other groups have this option disabled by default.

Security Enhancement: Added device authorization protection, selectable (Disabled, Enabled) for user groups. If enabled, accounts are subject to device authorization, meaning in order to login to an account, the user must additionally confirm who they are by using a device authorization code sent via email to the account holder when logging in using an unrecognized device. Authorization codes persist for 15 minutes, and are valid for 1 hour. Device authorizations renew daily and persist for up to 30 days. When this option is enabled, users can multiple devices to access a single account, and can access multiple accounts using a single device. All BackEnd user groups have this option enabled by default, all other groups have this option disabled by default.

Security Enhancement: Added a password change alert mail message option, selectable (Disabled, Enabled) for user groups. When enabled, users are alerted via a mail message sent to the account holder any time a password is changed or a new password is created (via password reset). All BackEnd user groups have this option enabled by default, all other groups have this option disabled by default.

Security Enhancement: Added a device authorization alert mail message option, selectable (Disabled, Enabled) for user groups. When enabled, users are alerted via a mail message sent to the account holder any time a new device is authorized to access their account. All BackEnd user groups have this option enabled by default, all other groups have this option disabled by default.

Security Enhancement: All login and account activity is checked now against user group level security controls post-valid-login, pre-authorization. This allows the system to prompt users for password changes due to strength requirements, for password changes required due to expiration, for new device authorizations, and more. An authorization token (and code) system was instroduced to recongize authenticated users without logging them in. This separate authorization scheme is used to control security for items such as forced password changes, password resets, and device authorizations.

Security Enhancement: Increased permissions levels for files (755), directories (755) and executable files (755) and added a permission level setting for configuration files (640). These are now hard values, not variable based on the permissions present on the filesystem. Some users may now have to adjust permissions values in index.php, admin.php and installer.php prior to installation.

Security Enhancement: The software installer module was updated so that a new superuser account (matching the credentials used to access the installer) is only created during installation if no superuser level users exist in the system already. This prevents admin account creation in systems with established admin accounts.

Fixes spelling error for 'Surcharge Income' in the accounting system map.

Removed Kryptronic software version number from the X-Powered-By header.

Optimized all advanced reports on orders to reduce the number of database requests, and overall resource usage, when generating reports. Extreme speed gains were found for most reports.

Advanced reports on orders were modified to include Total, Retail, Wholesale and eCommerce Channel sales information in the report data. Channel reporting includes reporting for each channel individually.

Added telephone link setting to be used when displaying links for the telephone number.

Verified proper session handling for shipping estimator defaults. Found operation correct using the new session logic.

Meta title and generator tags were modified to better support private label branding.

Added an X-XSS-Protection header to all responses which are not sent to bots. This header will help alieviate issues with Chrome when editing complex items in the management interface which contain external URLs embedded in submitted content. The header was added to all requests, as it's recommended for use by OWASP.

Modified the eBay channel's getorders() function to only update the getorders timestamp when a connection to eBay can be made. This will prevent missing orders downloads in the event a key has expired.

Modified HTML output and database encoding/charsets to explicitly set Latin1 (ISO-8859-1) as the default character set for output and data storage. Newer PHP versions are shipping with a UTF-8 default which causes some data presentation issues. Storage in ISO-8859-1 with translations to UTF-8 is the most portable solution and works as advertised in all instances.

Zoom functionality for product offer displays has been disabled in the event a page is loaded initially in THIN view (mobile). Users had issue scrolling past zoomed images on mobile devices.

The Google Shopping Feed extension module, and the Product Microdata for the Microdata extension module, were updated to recognize and use the Google Shopping Price Override field managed for Product Offers when it's greater than zero.

Themes used by Wordpress and Vanilla Forums were updated to support new session/security changes as well as use of a single system URL. Updates are available at

FancyBox JavaScript load options removed. The options being passed are no longer part of the API, and default options exist for those that were being passed.

UPS Freight Tracking added as an option for all non-1Z UPS OnlineTools tracking numbers to further support the UPS Freight option in the Batch Shipping Manager extension module.

Added Inventory Detail reports for the eBay and Amazon channel extension modules. These reports list all inventory and show any listings on channels with identifiers and pricing. These reports are useful for ensuring pricing is correct and to identify items which are not listed on channels.

Added the ability to show an additional link on category listings in case they contain large descriptions and links wash out in the display. Additional links are presented in the form of a button with a 'View All' prefix. Controlled by a global setting.

A category footer display was added for categories to allow for inclusion of more information at the very bottom of category pages. Useful for directing users to other categories or simply to provide more information.

The eBay channel was updated to include a new field which can be used to suppress EAN/UPC submission for new item listings and listing updates in the event eBay does not agree with the barcode being used.

The Listrak extension module was updated to exclude channel orders (eBay, Amazon, etc) from order reporting. Customer accounts created during order creation for channels are still exported to Listrak.

Corrected an error in the Batch Shipping Manager extension module related to overstatement of actual shipping charges on multiple item shipments.

Added change email function to the Manage Users function in the Management Interface. Changing a user's email here scales across all areas, using the same logic as the Account Overview change email function.

Removed extension module Google Trusted Stores (service discontinued, see Google Customer Reviews).

Added Google Customer Reviews support, which allows stores with a Google Merchant Account with Google Customer Reviews activated the ability to request reviews from customers post-purchase. All reviews are handled directly by Google, assuring valid reviews.

Added aggregate review rating to product offer microdata. Review microdata is populated when reviews are active, there is at least one review, and the review rating is greater than zero.

Added the ability to manage redirects for requests which no longer exist (deleted items). Add redirects for HTML Pages, Article Categories, Articles, Product Offers, Categories and Manufacturers using the new System / Helpers / Redirects function.

Modified checkout to scroll to the top of the page after any submission that meets the following criteria: FrontEnd ajax requests where the total was set, and has changed, and no ajax messages (errors) were been printed.

Added a Additional Order Email Recipients (Customer) field for User Accounts which allows customer order mail messages to be carbon copied to one or more addresses for a particular customer. Useful for customers that may need a purchasing email copied on orders.

Added a Additional Order Email Recipients (Internal) field for User Accounts which allows internal order mail messages to be carbon copied to one or more addresses for a particular customer. Useful for copying reps or affiliates on orders.

Modified the Order Manager to allow a custom note to be sent with order mail messages, instead of the standard header message, when sending mail messages using the Send Mail Messages function.

Modified the way the QuickBooks Web Connector extension module identifies credits and payments which are available for export to support future orders with prior payments. Those payment exports are now delayed until the order can be exported.

Added a Free Shipping Prompt with optional Disclaimer to the top of the shopping cart page. The prompt will display if activated using Shopping Cart and Wishlist settings, and if a free shipping threshold is active, and other conditions are met. The prompt was created to entice customers to spend more to reach a free shipping breakpoint.

Removed the 'USPS First-Class Mail Parcel' realtime shipping service option, and added services 'First-Class Package Service - Retail' and 'First-Class Package Service - Commercial'. Prompted by recent USPS updates to First-Class services in Aug 2017.

Modified logic in the Purchase Order and QuickBooks Web Connector extension module to update inventory on purchase order (expected) for all inventory types when handling Purchase Order Manager item receipts and QBWC synch.

Future Update Roadmap

The following updates are on the schedule and currently in development: Sage Accounting Export extension module; ShipWorks extension module; ShipStation extension module; Selective Caching; Walmart extension module

Filesystem Changes in This Update

Filesystem changes are available below for clients with modified installations. If your installation is modified, review the file listings below to aid in backing up and manually applying your modifications after running this software update.

New Files Added
Files Removed
Files Modified
© 1999-Present Kryptronic, Inc. All rights reserved worldwide. Kryptronic, the Kryptronic logo and all Kryptronic software names and logos are trademarks of Kryptronic, Inc. All Kryptronic software is copyrighted and the intellectual property of Kryptronic, Inc. All Kryptronic software is developed and distributed under license by Kryptronic, Inc.