Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Account Security Breach with Two Customers


krispp

Recommended Posts

We've had reported to us today a problem where one site visitor who had not opened an account was able to gain access to an existing account of another person by clicking on 'my account'.

 

We are running a version of oscommerce with the STS module installed and we are using the querystring to parse the session id, however we have been advised that the user has been logged into another user's account upon entering the site and has stayed logged in for a number of minutes whilst they were both trying to order.

 

Obviously they were not able to see any sensitive data (credit card details) but this has been enough to cause serious concerns over the security of the system.

 

Has any body else experienced this and can someone advise on how to resolve it?

 

Many thanks

Chris

Link to comment
Share on other sites

Oooh, I feel your pain, Chris. :(

 

This happened on my site, too. The problem, in my case, was that MSN had embedded an osC session id in a link from their search site to one of my product pages. So every time someone clicked on that link, they were seeing the previous customer's data.

 

If you have your own SSL certificate (rather than using a shared one), you can get around this by forcing cookie use. You should also store store sessions in mysql database, rather than in a /tmp file.

 

For reference, here are the settings I now have in my store, and (knock on wood!) no problems since changing them.

 

In /catalog/includes/configure.php, here are relevant portions:

 

  define('HTTP_SERVER', 'http://www.kididdles.com'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://www.kididdles.com'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', '.kididdles.com');
 define('HTTPS_COOKIE_DOMAIN', '.kididdles.com');
 define('HTTP_COOKIE_PATH', '/catalog/');
 define('HTTPS_COOKIE_PATH', '/catalog/');
 define('DIR_WS_HTTP_CATALOG', '/catalog/');
 define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

and

 

  define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

On the Administration side, in Store Configuration -> Sessions, I have the following settings:

 

Force Cookie Use: True

Check SSL Session ID: False

Check User Agent: False

Check IP Address: False

Prevent Spider Sessions: True

Recreate Session: False

 

To go along with 'Prevent Spider Sessions,' you should also have a spiders.txt file in your /catalog directory. Check the contributions section (link at top of forum pages) for the most up-to-date one.

 

Note: If you are using shared SSL, cookies will not work for you. In that case, you may need to set Recreate Session to True, but also be sure to have Prevent Spider Sessions set to true and get that spiders.txt file on your server.

 

HTH,

 

Terry

Terry Kluytmans

 

Contribs Installed: Purchase Without Account (PWA); Big Images, Product Availability, Description in Product Listing, Graphical Infobox, Header Tags Controller, Login Box, Option Type Feature, plus many layout changes & other mods of my own, like:

 

Add order total to checkout_shipment

Add order total to checkout_payment

Add radio buttons at checkout_shipping (for backorder options, etc.)

Duplicate Table Rate Shipping Module

Better Product Review Flow

 

* If at first you don't succeed, find out if there's a prize for the loser. *

Link to comment
Share on other sites

Terry,

 

You should immediately enable the "Recreate Sessions" setting as this will keep the impact of passing SID's to a minimum. Of course, keeping the SID's from being passed initially is a first line defense but if it happens the recreate session feature is priceless...

 

Bobby

Link to comment
Share on other sites

Thanks for the tip, Bobby.

 

When I was messing with different settings to get rid of the session ID problem, my store seemed to 'break' with any settings other than what I show above. I don't recall though, if I had it set to true in combination with something else that didn't work, so I'll try it again now. :)

 

Terry

Terry Kluytmans

 

Contribs Installed: Purchase Without Account (PWA); Big Images, Product Availability, Description in Product Listing, Graphical Infobox, Header Tags Controller, Login Box, Option Type Feature, plus many layout changes & other mods of my own, like:

 

Add order total to checkout_shipment

Add order total to checkout_payment

Add radio buttons at checkout_shipping (for backorder options, etc.)

Duplicate Table Rate Shipping Module

Better Product Review Flow

 

* If at first you don't succeed, find out if there's a prize for the loser. *

Link to comment
Share on other sites

Many Thanks Guys,

I have implemented the added session ID security features on our site and they seem to have taken good effect. I'm now validating it by IP which I think will eleviate any problems like this in the future.

 

Do you get lots of customers complaining that they have to have cookies enabled, since we seem to get errors if we store the sessions in cookies?

Link to comment
Share on other sites

...

Do you get lots of customers complaining that they have to have cookies enabled, since we seem to get errors if we store the sessions in cookies?

I don't want to clutter the thread with off-topic banter but if you force cookie use be sure to have appropriate entry in the robots.txt file (located in your document root).

 

It should look something like this:

User-agent: *
Disallow: /admin/
Disallow: /account.php
Disallow: /advanced_search.php
Disallow: /checkout_shipping.php
Disallow: /create_account.php
Disallow: /cookie_usage.php
Disallow: /login.php
Disallow: /password_forgotten.php
Disallow: /popup_image.php
Disallow: /shopping_cart.php

If you don't have this file you'll have to create it. The filename is case sensitive so make sure it is "robots.txt". If you don't have the entry for cookie_usage.php you'll have a lot of pages indexed about cookie use. Of course, if you sell cookies it might be of value to leave the entry out and let them index it :)

 

The other entries ensure that you keep the spiders busy with actual content of your site and not spending time in areas that add no value (other than for customers of course).

 

Bobby

Link to comment
Share on other sites

Validating by IP address can cause problems for customers who use AOL, so I opted not to use that feature.

 

By default, MSIE is set to accept cookies from the issuing site, but will generate an alert from a third-party cookie (one from a different web site). I have not seen or heard about any problems since setting mine to force cookie use a couple of weeks ago.

 

Terry

Terry Kluytmans

 

Contribs Installed: Purchase Without Account (PWA); Big Images, Product Availability, Description in Product Listing, Graphical Infobox, Header Tags Controller, Login Box, Option Type Feature, plus many layout changes & other mods of my own, like:

 

Add order total to checkout_shipment

Add order total to checkout_payment

Add radio buttons at checkout_shipping (for backorder options, etc.)

Duplicate Table Rate Shipping Module

Better Product Review Flow

 

* If at first you don't succeed, find out if there's a prize for the loser. *

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...