Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Session Issues


Guest

Recommended Posts

Over the past several days we have experienced a number of customers complaining about getting order confirmation emails that were not for orders they made. This was the tip of the iceberg.

 

What we have found is that they are picking up other orders in the shopping process. We have literally been on the phone with a customer while he clicked refresh, picking up other people's orders each time! The following is an email we just recieved:

 

The night before my order I tried to order.  Things that I had not ordered popped up in my shopping cart.

I thought at first that I had accidently moved or clicked my  mouse.  My husband watched over my shoulder.  We did not touch the computer for a few minutes, and a long list of orders were added to my shopping cart.  When I finally got our order to appear by itself and I was really to checkout, the computer wanted to bill someone in Michigan. (I live in South

Carolina.)  Frustrated I did not order anything and ordered the next day without any problems.

 

Investigating shows patterns that this SEEMS to happen to people online at the same time, however we have a case where the mixed up orders are over an hour apart.

 

When we go to correct the order the only data that is wrong is in the orders table. The customer id and address information is wrong for that order, but the billing and shipping information is CORRECT!

 

This installation has been working for almost two years without issue. No changes to core have been made for 2005.

 

Any ideas would be greatly appreciated.

Link to comment
Share on other sites

We're having the SAME issues with two carts, and my clients are very frustrated and ready to change the site to another cart. We've moved to a dedicated server, set them up with their own SSL, gave them a dedicated IP address, and still have the problem happening. Next step is to force cookies, I guess. But this is becoming frequent enough with OSC users that someone needs to figure out what's causing it...

Link to comment
Share on other sites

The cache does not affect carts - it's just caching boxes for the page displays, such as categories.

 

I wonder if the people experiencing this are using files for sessions or are they using the database? (STORE_SESSIONS='mysql';)

Link to comment
Share on other sites

Yes Steve, does sound exactly like that.

 

The only connection with the Cache feature (and I think this is where the misunderstanding arose in the previous post) is that if 'Use Cache' is set to 'true' then by default it uses the same 'tmp' folder as for sessions stored in files. Where the 'tmp' folder is a shared folder on a shared server and Use Cache is enabled then the store owner can find other people's Categories on their pages - just as other people can see other customers carts when sessions are stored in the same shared folder.

 

Vger

Link to comment
Share on other sites

I'm not familiar with how sessions are stored in files by PHP, but I would hope that there's some attempt to prevent two different users from getting the same session ID.

 

I recommend setting STORE_SESSIONS to 'mysql' in configure.php - this solves a lot of problems people have with sessions.

Link to comment
Share on other sites

If your site gets indexed by search engines with the Session ID in the link (i.e. it was indexed without prevent spider sessions being set)

and the same two people click on this link to get to your site, there will most likely be a problem like has been described if the session is still active.

Link to comment
Share on other sites

I'm not familiar with how sessions are stored in files by PHP, but I would hope that there's some attempt to prevent two different users from getting the same session ID.

Steve,

 

It's not PHP itself but osCommerce that is storing sessions in files. The problem is that the default store setting is to store (for files) sessions in /tmp. On a shared *nix server, /tmp is shared by every domain on the server.

 

This is easily solved by:

Create the following directory: catalog/sessions (or whatever you want.)

Change the following entry to: sessions (or whatever from the last step)

Admin->Configuration->Sessions->Session Directory

 

I used to use mySQL for sessions and switched to files while I was testing whos online enhancement. I haven't had any problems.

 

I agree with FalseDawn although this will happen with sessions stored in files and MySQL.

 

ed

Link to comment
Share on other sites

We are using mysql to store sessions, not using caching. We have all the session settings in osCommerce set to false, including recreate session.

 

Initially we thought it was caused due to heavy load, and our database was overwhelmed. We have since resolved that issue, but are still having the issue with about .5% of orders.

 

The curious thing is that it saves the wrong customer info for the order, but the correct billing and shipping info. It is like it has a split personality! It is two people at once.

 

Also, once a person is "infected", they can pick up all kinda other orders in their carts. Meanwhile others are unaffected. We have been unable to duplicate the problem to debug.

 

Since others have had this issue, while most do not, it leads me to thinking it could be a contribution or configuration. I wonder if database configuration settings could be a factor? I dunno, we are shootin in the dark here and it is critical.

Link to comment
Share on other sites

Firstly, set "recreate session" to true.

If you are using ssl, the session should _always_ be recreated when entering secure area.

 

I would say it is far more likely that the problem is caused by dodgy code in a contribution than database configuration, although having said that, the fact that MySQL ISAM tables do not support transaction locking has always been a big concern of mine...

If you haven't altered any of the base code that saves orders (i.e you haven't installed PWA or similar contrib) I will have a quick run through the code when I get chance.

Be interesting to hear if anybody is having similar problems with a stock store.

 

What contributions have you installed?

Link to comment
Share on other sites

Also, as I mentioned before - do you know if you have inbound links to your site with session IDs in the URLs? These can cause problems.

 

You really need to empty your sessions table as well. How many rows do you have in there? Is the garbage collector working OK?

 

You should take your store off line for a few minutes (when it's not busy of course, and give the customers warning!) and delete all rows from the sessions table.

And make sure you have "prevent spider sessions" set ON in your admin, and your spiders.txt file is up to date.

Link to comment
Share on other sites

Problem Resolved!

 

I discovered while browsing through the store that there was ONE page that showed the session id in the URL. The light went on.

 

This problem had started at the same time a large email marketing campaign had begun. This led us to believe that it might have been due to heavy load. We have a three web servers and a dedicated database server and the load was heavy enough to bring us to our knees. Sounds reasonable. However, after seeing the session in the address bar, others who had issues with search engines picking up sessions, I suddenly realized that there was a good chance that our mailing list administrator had cut and pasted the store address to include in the email. A quick check confirmed it. Of the six links in the email one of them had the session in it!

 

So, we found our bug, and I can sleep now...

 

I want to thank everyone who helped on this and lent some of there experience to the process.

 

Thanks everyone!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...