Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

URGENT! Customers see OTHER customers details!


quag2000

Recommended Posts

Urgent!

 

Can anyone help my track down what is happening here?

 

my site: www.staticfarm.com

 

I just got and email from a customer as follows:

 

.... I came to the staticfarm site and added it to my basket. I was just getting ready to register with the site when I noticed that I was already logged in on someone else's account:

 

XXXXX XXX XXXX

 

I've logged off the account, but obviously am rather reluctant to register if it means that my contact details will be visible to the next person accessing the site!

 

Can anyone help? Sorry I didnt have time to search well on this one!

 

Cheers

 

QUAG

Link to comment
Share on other sites

Are you using a shared computer?

 

No,

 

The customer concerned was in a different country to the person whos details came up on his comuter. It must be a temporary cache somewhere it my OS Commerce installation.

 

I though that would have been cached at the user end, not at the server end.

 

Have I messed up a setting?

 

cheers

Link to comment
Share on other sites

No,

 

The customer concerned was in a different country to the person whos details came up on his comuter. It must be a temporary cache somewhere it my OS Commerce installation.

 

I though that would have been cached at the user end, not at the server end.

 

Have I messed up a setting?

 

cheers

 

Anybody?

 

I have tried the different session setting now, but no go.

I just experienced it myself.

I went to the catalog, and ended up inside someone elses session.

 

arrrg!

:'(

Link to comment
Share on other sites

are you storing customer details/sessions in files or sql?

 

I'm not 100% sure.

 

Where would I check on that.

 

My session setting are:

Session Directory /tmp

Force Cookie Use False

Check SSL Session ID False

Check User Agent False

Check IP Address True

Prevent Spider Sessions True

Recreate Session True

 

these were defaulted to:

false / flase /false /false /false /false when i first started trying to find this problem. The changes seem not to have made any difference.

 

I recently installed the Downloads Conroller contribution.

 

Cheers

Link to comment
Share on other sites

are you storing customer details/sessions in files or sql?

 

This is in includes/configure.php near the bottom.

Link to comment
Share on other sites

ahh yes.. the configure files...thanks!

  define('STORE_SESSIONS', 'mysql');

 

sql by the looks

 

Ok,

 

I think I have fixed it.

I had my cookies set up wrong in cofigure.php (had the www in front) and also had an extra / after the http server setting.

 

also I discovered I had included liks to various functions in the store in my header with

?osCid82376872364 etc etc on the end...

 

am i right in figuring this is the session id?

 

that would certainly help explain some stuff.

 

Cheers

 

:)

Link to comment
Share on other sites

I have had similar problems on two sites, FINALLY found that the problem was due to LINKS that were added with osCid session numbers in them. The links would look something like this:

 

http://ww....../default.php?osCsid=01bfd6d...902ffe&cPath=70

 

If the link pointed to a session that was a "logged in session" and it was still stored, then the session was resumed! NOT good...

 

I am guessing what happened was the session was origianally the clients own admin account. When he created outside links he was logged in... then someone else used the link, logged out as him, logged in as themsleves, and it must have kept the same session!

 

Thus the session pointed to another customer's account... or maybe they just opened the link and logged in, then the session was hijacked before it expired by the next person who used that link...!

 

Anyway, I suggest you check all your external and outside links and remove all osCid data from them.

Link to comment
Share on other sites

I too, am having this problem. When I click on the logo, it has the OSCid after it...

 

also I discovered I had included liks to various functions in the store in my header with

?osCid82376872364 etc etc on the end...

 

Where did you go to remove this permanently so that everytime someone clicks on the logo, they won't be logged into someone else's account?

Link to comment
Share on other sites

I too, am having this problem. When I click on the logo, it has the OSCid after it...

Where did you go to remove this permanently so that everytime someone clicks on the logo, they won't be logged into someone else's account?

 

 

I had the settings for cookies set incorrectly in admin/configure.php

also I had linked various things and included the OSCid session in the link. So i changed those links. I think from memory that the cookie domain should not have www. preceeding it. eg: instead of www.youdomain.com for the cookies domain it should be just yourdomain.com.

 

Can anyone verify this for me? That one thing I changed, and I seem to have not had the problem since.

Link to comment
Share on other sites

  • 2 weeks later...
Hmm, I've noticed that everytime I click on a link (doesn't matter which one), it has the OSCid on it.

 

I still have no idea on how or where to edit all this!!  :unsure:

 

Scrap,

 

The osCsid number is supposed to be on many of the links that are generated by osC as part of using the site. Such links as logoff, my account and so on especially.

 

The problem where someone gets logged in as another user seems to be on links you have created elsewhere on your site that have the osCsid. These links should not have it! Apparently when someone clicks on these outside links it can sometimes restore the session.

 

For example, you create a link for a category that you want on the "Home Page" of your site, or a link that is part of another product's description by copying your URL which includes the session ID as part of the link you created.

 

The solution is to DELETE the osCsid=73459873957239 part of any link you create. Then the session cannot be reused by anyone.

 

Hope this helps,

 

RDB

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...