Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Information Leak

stembuck

By stembuck
in General Support

Recommended Posts

stembuck

stembuck

Posted
Posted

So, I was just browsing through my web site and I notice I was log on as Mark. I click on account and I see everything about Mark and so does everyone else who is online at the time. I can even add items to Mark's shopping cart but I'm not Mark.

 

This never happen to my web site before. I don't know what is going on. I have a guess, it's have to do something with cookie. Please someone help me.

tobycatlin

tobycatlin

Posted
Posted

It's all about session ID's. Bleedin session id's

 

you should notice a osCsid=ff4c5b870dc156bac85754ca7ac8b43e or something similar. This should be a unique number that temporarily identifies a user for a single visit to you shop. To keep the user logged in the session id has to be saved somewhere. If you have set the right values in configure.php and the user allows cookies the id will be saved in cookies. this is best. otherwise the id will be passed around using the url. Every link will contain the session id.

If someone elses session id is saved somehow (indexed by google, bookmarked, saved in external link etc) then anyone following that link will be logged in as that person. Technically if you could guess someone elses session id then you could log in as them, which is why it is such a huge number.

 

In catalog/includes/configure.php you should see the setting:

define('HTTP_COOKIE_DOMAIN', 'yourdomain.com');

 

This is used when your cookie is written to the users machine and links that cookie to your site. Note there is no http:// or www.

 

The second thing you should look at is the admin under configuration/sessions and check that 'prevent spider sessions' to equal true. The stops OSc from issuing a session id to search engine spiders. Clever eh?

 

If that fails there are hundreds of posts addressing the same problem. I think there has been a overhaul of the session functions for ms3, if there isn't there should be.

I ain't got time to bleed

Vger

♥Vger

Posted
Posted

Toby has given good advice, but it can also be a problem if you are using files to store your sessions information and you are on a shared server. You can have 'crossover' if someone else on the same server is also running an osCommerce site, which is why you should use your database (if you're not already doing so) to store your session data. To do this go to the last line of both of your configure.php files, and change it so that it reads

 

define('STORE_SESSIONS', 'mysql');

 

Vger

stembuck

stembuck

Posted
  • Author
Posted

WoW !!! you guys are very helpful. thank you so much. I did as you suggested now we have to wait so see if it work. thanks :D

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...