Duplicate Orders, Cross Customers?

[optic]

This is weired. I'm very familiar with OSC, and have installed it and used many times for some of my other domains, but I've never had this problem before.

 

It seems like customers are crossing data. Meaning, if someone sets up an account, someone elses data is appearing as theirs. Or if someone places an order, data from another customer is entered instead. This is causing a cross mess of duplicate orders, orders that people did order, but the billing/shipping info is another customer and vice-versa.

 

I am going to assume it might be the ORDER EDITOR contribution I installed, as it is the only thing that I believe would cause this mess. Has anyone else experienced this?

 

- O

[Guest]

I'm having the exact same issue that when a customer logs in to his/her account, a different customers' details show up. This is so weird and it just started happening about a week ago. :huh:

 

Any help anyone can provide would be greatly appreciated!

[MSP]

http://www.oscommerce.com/forums/index.php?sho...=225654&hl=

[♥Monika in Germany]

check if sessions are saved to the database (configure.php) and if cache in admin has been set to false.

[dukesgrl]

check if sessions are saved to the database (configure.php) and if cache in admin has been set to false.

 

Neither of these things are the problem. I've been having this problem for almost a year now. Basically, if someone places an order, but does not LOG OUT after the order is completed, there's a good possiblity that the next person who places an order will get the prior person's info because they don't need to log in. They see a name and then just change the ship to/bill to info and the CC info They don't realize that they're not the customer. I found this out when a very good customer did just that. She didn't log in with her ID info but just changed the other info. She told me she thought it was just a default that showed you what to do.

 

I've added text to the last page of the order process stating "For the protection of your account, please log out after placing your order!" So far, so good. I believe there is a contribution to fix this however, I can't find it.

 

Dorinda

[skylla]

In order for this to happen all of those customers are sharing one and the same session id. This could come from a link they follow with the id appended.

 

If as Monika suggests, your sessions are saved in de db, caching is set to false, session for robots are disabled, spiders.txt is up-to-date, you could additionally add some code to application_top to generate new sessionIDs for newcomers with sessionIDs. A certain 'Humbled' posted this code a while back - try a search on his name.

[♥Monika in Germany]

unfortunately, humbled was banned a while back ... all posts gone (grrrr) ... maybe someone saved that code and can post it?

[boxtel]

unfortunately, humbled was banned a while back ... all posts gone (grrrr) ... maybe someone saved that code and can post it?

 

That code was to give spiders who carry session id's a 301 redirect, not for customers following a link with a session id.

 

if ( $spider_flag == true ){

if ( eregi(tep_session_name(), $_SERVER['REQUEST_URI']) ){

$location = tep_href_link(basename($_SERVER['SCRIPT_NAME']), tep_get_all_get_params(array(tep_session_name())), 'NONSSL', false);

header("HTTP/1.0 301 Moved Permanently");

header("Location: $location"); // redirect...bye bye

}

}

 

 

For the customer part I do this (I save sessions in files, for DB sessions you would have to do an sql select) :

 

if (isset($_GET[tep_session_name()])) {

// session id in the url

if (!file_exists(SESSION_WRITE_DIRECTORY.'/sess_'.$_GET[tep_session_name()])) {

// requested session id is not active

// write an error log entry

error_log('GET session expired:'.$browser_ip.' - '.$_GET[tep_session_name()]."\n");

// ignore the given session id

unset($_GET[tep_session_name()]);

// issue a new one

session_regenerate_id();

}

}

 

you could do the same for POST and COOKIE but this covers all instances where customers follow an identical link with session id.

[ComicWisdom]

If it's only a logoff problem, what's wrong with just putting

 

tep_session_unregister('customer_id');
 tep_session_unregister('customer_default_address_id');
 tep_session_unregister('customer_first_name');
 tep_session_unregister('customer_country_id');
 tep_session_unregister('customer_zone_id');
 tep_session_unregister('comments');

 $cart->reset();

 

At the end of checkout_success.php