Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Information Leak


stembuck

Recommended Posts

So, I was just browsing through my web site and I notice I was log on as Mark. I click on account and I see everything about Mark and so does everyone else who is online at the time. I can even add items to Mark's shopping cart but I'm not Mark.

 

This never happen to my web site before. I don't know what is going on. I have a guess, it's have to do something with cookie. Please someone help me.

Link to comment
Share on other sites

It's all about session ID's. Bleedin session id's

 

you should notice a osCsid=ff4c5b870dc156bac85754ca7ac8b43e or something similar. This should be a unique number that temporarily identifies a user for a single visit to you shop. To keep the user logged in the session id has to be saved somewhere. If you have set the right values in configure.php and the user allows cookies the id will be saved in cookies. this is best. otherwise the id will be passed around using the url. Every link will contain the session id.

If someone elses session id is saved somehow (indexed by google, bookmarked, saved in external link etc) then anyone following that link will be logged in as that person. Technically if you could guess someone elses session id then you could log in as them, which is why it is such a huge number.

 

In catalog/includes/configure.php you should see the setting:

define('HTTP_COOKIE_DOMAIN', 'yourdomain.com');

 

This is used when your cookie is written to the users machine and links that cookie to your site. Note there is no http:// or www.

 

The second thing you should look at is the admin under configuration/sessions and check that 'prevent spider sessions' to equal true. The stops OSc from issuing a session id to search engine spiders. Clever eh?

 

If that fails there are hundreds of posts addressing the same problem. I think there has been a overhaul of the session functions for ms3, if there isn't there should be.

I ain't got time to bleed

Link to comment
Share on other sites

Toby has given good advice, but it can also be a problem if you are using files to store your sessions information and you are on a shared server. You can have 'crossover' if someone else on the same server is also running an osCommerce site, which is why you should use your database (if you're not already doing so) to store your session data. To do this go to the last line of both of your configure.php files, and change it so that it reads

 

define('STORE_SESSIONS', 'mysql');

 

Vger

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...