Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

The Problem with Hijacked Sessions and accounts getting combined.


Steel

Recommended Posts

Posted

I hope this helps someone :)

 

 

The Problem with Hijacked Sessions and accounts getting combined.

 

 

How it?s happening:

 

Google (or any other search engine) starts a session, indexes it, and then displays it on their search engine site just as the example above showed. It also lists the Session ID in the link that it started, even if it was hours, days, or even weeks ago!

 

 

Customer ?A? (we?ll call him JOHN) goes to Google and does a search for a ?BLUE CAR?. A link for ?examplewebstore.com? comes up. Now look at the URL for the link

 

http:// examplewebstore.com /catalog/product_info.php?products_id=345&osCsid=b7f635beafc3f8bfdd538815cd4d514

 

Pay Attention to the Session ID: osCsid=b7f635beafc3f8bfdd538815cd4d514

And

Pay Attention to the Product ID: products_id=345

 

 

NOW, Customer ?B? (we?ll call him FRED) goes to Google and does a search for a ?RED CAR?. A link for ?examplewebstore.com? again comes up. Now look at this link.

 

http:// examplewebstore.com /catalog/product_info.php?products_id=789&osCsid=b7f635beafc3f8bfdd538815cd4d514

 

Notice the Same Session ID: osCsid=b7f635beafc3f8bfdd538815cd4d514

And

Notice the Product ID: products_id=789

 

If you notice the URL for the link for the ?RED CAR? it?s almost identical to the link for the ?BLUE CAR?. The only difference is that that although the Product?s ID portion is not the same, the Session ID is a perfect match!

 

If seems as if the way a session ID works is that the last person to actually SIGN IN using a particular Session ID Now becomes the default person who is assigned that ID. This is so the next time that they come back and log in, their account will pop up and the same Session ID will be restored.

 

(Note: This can and will also happen if the 2 customers click on the same link for the same item as well. It doesn?t have to be different products.)

 

The Problems that it can cause:

 

 

Situation 1.

 

Customer ?A? John comes along, does his search, sees the Google link, clicks on it and then ends up resuming the session that Google had started. Once he signs in, while using this session ID, it now becomes associated to his account. Now let?s say he checks out, completes the transaction and then logs off. Then customer ?B? Fred comes along and clicks on a Different Google link (OR EVEN THE SAME LINK) with the same Session ID, and at this point, if he were to SIGN IN, Fred would now have that exact same Session ID now assigned to his account instead of Johns.

 

This might not seem like that big of a deal and some people might think Ahhhhhh what?s the matter with that happening?it?s not causing any harm? Well in situation 2, I will show you.

 

Situation 2.

 

Customer ?A? John comes along, does his search, sees the Google link, clicks on it and then ends up resuming the session that Google had started. Once he signs in, while using this session ID, it now becomes associated to his account. Now let?s say, this time he adds a few things to his cart and leaves. When customer ?B? Fred comes along and clicks on another Google link with the same Session ID, not only does he resume John?s cart, but if he were to SIGN IN, the Session ID, that was first assigned to Google and then to John, would be now once again be reassigned to Fred?s account. Fred would unknowingly take over John?s cart completely.

 

Now in the worst case situation?

 

Situation 3.

 

Customer ?A? John comes along, does his search, sees the Google link, clicks on it and then ends up resuming the session that Google had started. Once he signs in, while using this session ID, it now becomes associated to his account. This time however he sign?s in, adds a few things to his cart, and is browsing around when customer ?B? Fred comes along and clicks on another Google link with the same Session ID. If Fred does this while John is still logged in under this Session ID, Fred is now ALSO signed in under John?s account at the exact same time as John and Fred doesn?t even have to SIGN IN himself at all! He has total control over John?s account.

 

 

The Result:

 

This is one way that accounts are getting mixed up. Fred places his order under John?s account, changes the billing and Ship to info and completes the transaction. Meanwhile John contacts the store wanting to know why some ?Fred guy? has an order under his account. Or, Fred emails asking about his order, but it?s no where to be found, because the order was placed under Johns account and not his own.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...