Guest Posted February 25, 2005 Share Posted February 25, 2005 HI, I have been setting up osCommerce and playing with test carts ect. today i instructed one of my regular customers to the under construction store to make a real purchase. all went through fine. however later that day whilst i was doing another test order, i clicked 'checkout' and instead of being taken to the log-in screen in am taken to the shipping screen with the full address of my previous (real) customer - who ordered on a different computer. how did this happen? i had not entered any details of my customer and certainly dont have his password! so far i havent been able to replicate the error again but the experience has given me doubts about going live just yet. my admin settings that i think may effect this are as follows; Use Cache false Cache Directory /tmp/ Store Page Parse Time false Log Date Format %d/%m/%Y %H:%M:%S Display The Page Parse Time false Log Destination /var/log/www/tep/page_parse_time.log Store Database Queries false Session Directory /tmp Check SSL Session ID False Check User Agent False Force Cookie Use False Check IP Address False Prevent Spider Sessions False Recreate Session False are all the above normal? ive had a search for similar problems but cant find anything. Any help is thery much appreciated as i am at a complete loss to figure out what has happened. My site is currently here: http://www.cheaperchips.com/catalog/ im not sure how to find the exact version of oscommerce im using - its the most recent i think. i have added the following contributions; Free skin A Secpay payment module Header and keyword tags show VAT inc and excl. Site uses a shared SSL for login/out. Thank you. Link to comment Share on other sites More sharing options...
Effects Posted February 25, 2005 Share Posted February 25, 2005 Are your sessions set to mysql in the configure.php files? define('STORE_SESSIONS', 'mysql') should not be define('STORE_SESSIONS', '') Les Link to comment Share on other sites More sharing options...
Guest Posted February 25, 2005 Share Posted February 25, 2005 Are your sessions set to mysql in the configure.php files? define('STORE_SESSIONS', 'mysql') should not be define('STORE_SESSIONS', '') Les <{POST_SNAPBACK}> i'll check now, so will that cause the problem? Link to comment Share on other sites More sharing options...
♥Vger Posted February 25, 2005 Share Posted February 25, 2005 When your site is on a shared server you should never store sessions in files - always in the database (mysql setting). Not only could you see other customers accounts, but you could end up with the 'Category' list of other oscommerce websites on the same server appearing in your left hand column. Vger Link to comment Share on other sites More sharing options...
Effects Posted February 25, 2005 Share Posted February 25, 2005 i'll check now, so will that cause the problem? <{POST_SNAPBACK}> There have been some recent post having simular problems and thats what was suggested to possibly resolve the problem. My store isn't live yet - but i've allready made that change. Les Link to comment Share on other sites More sharing options...
Guest Posted February 25, 2005 Share Posted February 25, 2005 yup, i needed to change the code as instructed. - thankyou,thank you. :thumbsup: I hope thats the end of it. - feels better knowing ive tried something. do all the below settings seem ok for use with a shared SSL? Use Cache false Cache Directory /tmp/ Store Page Parse Time false Log Date Format %d/%m/%Y %H:%M:%S Display The Page Parse Time false Log Destination /var/log/www/tep/page_parse_time.log Store Database Queries false Session Directory /tmp Check SSL Session ID False Check User Agent False Force Cookie Use False Check IP Address False Prevent Spider Sessions False Recreate Session False mabey i need to improve my searching techniques. i spend hours on it and end up with more questions than answers! thanks Link to comment Share on other sites More sharing options...
Effects Posted February 25, 2005 Share Posted February 25, 2005 yup, i needed to change the code as instructed. - thankyou,thank you. :thumbsup: I hope thats the end of it. - feels better knowing ive tried something. <{POST_SNAPBACK}> Did you fix that in both configure.php files? admin/includes and the standard includes, for example catalog/includes. Les Link to comment Share on other sites More sharing options...
Guest Posted February 25, 2005 Share Posted February 25, 2005 Did you fix that in both configure.php files? admin/includes and the standard includes, for example catalog/includes.Les <{POST_SNAPBACK}> yes thanks, i also have folders called 'local' with config files in them but there were already set correctly. i have also put the following settings which i think may stop it or similar happening again; Use Cache false Store Database Queries false Check SSL Session ID True Prevent Spider Sessions True Recreate Session True time will tell i suppose. thankyou all for all your help. further suggestions are welcome if there are any. pete. Link to comment Share on other sites More sharing options...
mannik Posted March 2, 2005 Share Posted March 2, 2005 I have the same problem, that customers are visting the page and logged into other accounts or orders of existing customers are in wrong accounts. I checked the session handling and this happen also with sessions stored in mysql. It seems to me that the sessions generated are the same and it happens only if the it is in the same time period, so the session is active. I happens now more oftne to me and this is a HUGE SECURITY PROBLEM I have the following seesion parameters Session Directory /tmp Force Cookie Use False Check SSL Session ID True Check User Agent False Check IP Address True Prevent Spider Sessions True Recreate Session True Anybody out there to help me - THIS IS URGENT Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.