quag2000 Posted June 1, 2005 Share Posted June 1, 2005 Urgent! Can anyone help my track down what is happening here? my site: www.staticfarm.com I just got and email from a customer as follows: .... I came to the staticfarm site and added it to my basket. I was just getting ready to register with the site when I noticed that I was already logged in on someone else's account: XXXXX XXX XXXX I've logged off the account, but obviously am rather reluctant to register if it means that my contact details will be visible to the next person accessing the site! Can anyone help? Sorry I didnt have time to search well on this one! Cheers QUAG Link to comment Share on other sites More sharing options...
gmoney1917 Posted June 1, 2005 Share Posted June 1, 2005 Are you using a shared computer? Link to comment Share on other sites More sharing options...
quag2000 Posted June 1, 2005 Author Share Posted June 1, 2005 Are you using a shared computer? <{POST_SNAPBACK}> No, The customer concerned was in a different country to the person whos details came up on his comuter. It must be a temporary cache somewhere it my OS Commerce installation. I though that would have been cached at the user end, not at the server end. Have I messed up a setting? cheers Link to comment Share on other sites More sharing options...
quag2000 Posted June 1, 2005 Author Share Posted June 1, 2005 No, The customer concerned was in a different country to the person whos details came up on his comuter. It must be a temporary cache somewhere it my OS Commerce installation. I though that would have been cached at the user end, not at the server end. Have I messed up a setting? cheers <{POST_SNAPBACK}> Anybody? I have tried the different session setting now, but no go. I just experienced it myself. I went to the catalog, and ended up inside someone elses session. arrrg! :'( Link to comment Share on other sites More sharing options...
AverageJoe Posted June 1, 2005 Share Posted June 1, 2005 are you storing customer details/sessions in files or sql? Link to comment Share on other sites More sharing options...
quag2000 Posted June 1, 2005 Author Share Posted June 1, 2005 are you storing customer details/sessions in files or sql? <{POST_SNAPBACK}> I'm not 100% sure. Where would I check on that. My session setting are: Session Directory /tmp Force Cookie Use False Check SSL Session ID False Check User Agent False Check IP Address True Prevent Spider Sessions True Recreate Session True these were defaulted to: false / flase /false /false /false /false when i first started trying to find this problem. The changes seem not to have made any difference. I recently installed the Downloads Conroller contribution. Cheers Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2005 Share Posted June 1, 2005 are you storing customer details/sessions in files or sql? This is in includes/configure.php near the bottom. Link to comment Share on other sites More sharing options...
quag2000 Posted June 1, 2005 Author Share Posted June 1, 2005 This is in includes/configure.php near the bottom. <{POST_SNAPBACK}> ahh yes.. the configure files...thanks! define('STORE_SESSIONS', 'mysql'); sql by the looks Link to comment Share on other sites More sharing options...
quag2000 Posted June 1, 2005 Author Share Posted June 1, 2005 ahh yes.. the configure files...thanks! define('STORE_SESSIONS', 'mysql'); sql by the looks <{POST_SNAPBACK}> Ok, I think I have fixed it. I had my cookies set up wrong in cofigure.php (had the www in front) and also had an extra / after the http server setting. also I discovered I had included liks to various functions in the store in my header with ?osCid82376872364 etc etc on the end... am i right in figuring this is the session id? that would certainly help explain some stuff. Cheers :) Link to comment Share on other sites More sharing options...
rbartz Posted June 8, 2005 Share Posted June 8, 2005 I have had similar problems on two sites, FINALLY found that the problem was due to LINKS that were added with osCid session numbers in them. The links would look something like this: http://ww....../default.php?osCsid=01bfd6d...902ffe&cPath=70 If the link pointed to a session that was a "logged in session" and it was still stored, then the session was resumed! NOT good... I am guessing what happened was the session was origianally the clients own admin account. When he created outside links he was logged in... then someone else used the link, logged out as him, logged in as themsleves, and it must have kept the same session! Thus the session pointed to another customer's account... or maybe they just opened the link and logged in, then the session was hijacked before it expired by the next person who used that link...! Anyway, I suggest you check all your external and outside links and remove all osCid data from them. Link to comment Share on other sites More sharing options...
quag2000 Posted June 9, 2005 Author Share Posted June 9, 2005 Done! It seems to have stopped! Fingers crossed thats the only problem! ;) Link to comment Share on other sites More sharing options...
scrap32 Posted June 12, 2005 Share Posted June 12, 2005 I too, am having this problem. When I click on the logo, it has the OSCid after it... also I discovered I had included liks to various functions in the store in my header with?osCid82376872364 etc etc on the end... Where did you go to remove this permanently so that everytime someone clicks on the logo, they won't be logged into someone else's account? Link to comment Share on other sites More sharing options...
quag2000 Posted June 12, 2005 Author Share Posted June 12, 2005 I too, am having this problem. When I click on the logo, it has the OSCid after it...Where did you go to remove this permanently so that everytime someone clicks on the logo, they won't be logged into someone else's account? <{POST_SNAPBACK}> I had the settings for cookies set incorrectly in admin/configure.php also I had linked various things and included the OSCid session in the link. So i changed those links. I think from memory that the cookie domain should not have www. preceeding it. eg: instead of www.youdomain.com for the cookies domain it should be just yourdomain.com. Can anyone verify this for me? That one thing I changed, and I seem to have not had the problem since. Link to comment Share on other sites More sharing options...
scrap32 Posted June 12, 2005 Share Posted June 12, 2005 Hmm, I've noticed that everytime I click on a link (doesn't matter which one), it has the OSCid on it. I still have no idea on how or where to edit all this!! :unsure: Link to comment Share on other sites More sharing options...
rbartz Posted June 26, 2005 Share Posted June 26, 2005 Hmm, I've noticed that everytime I click on a link (doesn't matter which one), it has the OSCid on it. I still have no idea on how or where to edit all this!! :unsure: <{POST_SNAPBACK}> Scrap, The osCsid number is supposed to be on many of the links that are generated by osC as part of using the site. Such links as logoff, my account and so on especially. The problem where someone gets logged in as another user seems to be on links you have created elsewhere on your site that have the osCsid. These links should not have it! Apparently when someone clicks on these outside links it can sometimes restore the session. For example, you create a link for a category that you want on the "Home Page" of your site, or a link that is part of another product's description by copying your URL which includes the session ID as part of the link you created. The solution is to DELETE the osCsid=73459873957239 part of any link you create. Then the session cannot be reused by anyone. Hope this helps, RDB Link to comment Share on other sites More sharing options...
scrap32 Posted June 29, 2005 Share Posted June 29, 2005 Thanks!! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.