Customers logging in with other customer's accounts

[micetrap]

I have been using OSCommerce for years and for the past few months, I have had a problem where every once in a while, I will get orders under someone else's account. It must have something to do with cookies, but a customer places an order, but it's in another customer's account, they just change the information and then the other customer gets the confirmation emails. This is obviously a big security issue. I went into my admin section and turned off the cache under My Store: Cache: Use Cache. This is set to false. I also made the Cache Directory blank. In the catalog/includes/configure.php, I have sessions set to:

define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'

 

This doesn't happen often, but it has happened a few times this month and occurred 3 times yesterday. Can someone please help me figure out what would enable people to be able to log into someone else's account. I am sure it has to do with sessions or cookies.

[jdvb]

see my post here

I used the mysql stored sessions, but the solution is also posted for file based sessions there.

[micetrap]

When this problem first started, I switched to using Mysql for sessions and I found this problem happened more often. I then switched back to the default of my /tmp directory.

 

 

In my application_top.php, I don't have the code suggested in the fix. I am assuming I have an older build. This is what i have:

 

 

define('TABLE_SESSIONS', 'sessions');

 

 

 

// check if sessions are supported, otherwise use the php3 compatible session class

if (!function_exists('session_start')) {

define('PHP_SESSION_NAME', 'sID');

define('PHP_SESSION_SAVE_PATH', '/tmp');

 

include(DIR_WS_CLASSES . 'sessions.php');

}

 

// define how the session functions will be used

require(DIR_WS_FUNCTIONS . 'sessions.php');

tep_session_name('osCsid');

[jdvb]

try a new application top from a default install and then aply the fix to that.

 

upgrading is recomended for security reasons too.

[micetrap]

I have tried upgrading many, many times but due to modifications and what not, it caused the shop not to function. Since I am a business that is operating, I can't afford down time and a non-functioning site.