Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Customer Swap at Checkout Issue!


benjatado

Recommended Posts

Wow! - I am a bit worried here.

 

I have a few instances of orders on my site that have reportedly been made under someone elses account.

 

Here is the scenario:

 

A customer says when they go to checkout - another customers info is presented on the screen. It appears they are then able to change the shipping/billing address and place the order under the other customers account!

 

EEEK!

 

And when looking at my admin - I see where 2 orders come up (one right after the other) under the same account - but different billing/shipping addresses are provided!

Furthermore - the customer name of the rouge customer is not in the list of customers in the database!?! Like they just skipped the login!?!

 

What is going on here?

 

It sounds as if when the new customer clicks checkout - they are presented with the preceeding customer's account information? Almost as if the code is skipping the login and sending them to the last customer's account who logged in before them.

 

I am about to panic!

Link to comment
Share on other sites

Sounds like a session ID problem.

 

Check that your site isn't indexed with session IDs attached to the URL in search engines. Also, enable "Prevent Spider Sessions" in your admin, and enable "recreate session", that should fix any SID crossing (hopefully).

 

Ask your customers who reported it if they are going from a search engine, or just logging on to the site.

 

Rob

Rob Bell - Inspired Graphix

Customising osCommerce in Australia, and the world!

View my profile for web and email links.

 

I'm sorry, but i cannot offer Free support via PM etc, and osCommerce forums prohibit me from putting any reference to paid support in my signauture.

However viewing my profile may provide links to my website or something like that which you may find useful.

Link to comment
Share on other sites

Rob -

 

Thanks!

 

I just did this - almost all settings were false so I changed all settings in the Admin > Sessions to true except "force cookie", I left this false.

 

I also altered my application_top.php for cookie optimization from Amanda's post in this thread:

 

speeding things up with a cookie

 

I also updated the spiders.txt with the most recent list (published today). I will check the search engines too and ask that customer if they somehow clicked on a link from the search engine?

 

Oooo - or what if someone posted a link with the SID on a web page somewhere referencing a product on my site? What would this do? Would this always go back to a single customer?

 

So I will see how things go now and post back if all goes well...

 

Now off to explaining to the customer who received an email from another customers purchase (on their account!) what happened... :blush:

 

Thanks again!

Link to comment
Share on other sites

Ok - I have found 2 instances in 2 mins of an osCsid within a url on google and another website.

 

But - the good news is when I hit the add to cart > checkout - it pops me over to the login.php and not to someone elses account.

 

Ugh - but it uses the same osCsid throughout... is this going to be a problem here?

 

 

-ben

Link to comment
Share on other sites

Ben,

 

Your osC id should not change throughout your particular session, that is the whole point. It shouldn't however, be the same as someone elses session or things can get messed up. Having turned on the recreate sessions (and other various options) you have probably avoided the possibility of it happening again.

 

Having disabled sessions for spiders, you will have made sure that they are not picked up again, and the indexed pages should reflect this in time.

 

For not, people will end up at a login screen when clicking a link that has an osCid attached to it, but atleast you have removed the security issue.

 

Rob

Rob Bell - Inspired Graphix

Customising osCommerce in Australia, and the world!

View my profile for web and email links.

 

I'm sorry, but i cannot offer Free support via PM etc, and osCommerce forums prohibit me from putting any reference to paid support in my signauture.

However viewing my profile may provide links to my website or something like that which you may find useful.

Link to comment
Share on other sites

I've just had a similar problem. In our case, the customer followed a link from a forum - there is no session ID in the link, I've checked. They found they were logged in as the last client that placed an order and could view their account details and order history.

 

I've changed the settings in 'sessions' mentioned above. Is there anything else that needs to be done?

Link to comment
Share on other sites

Nope, that Recreate Sessions should take care of it.

 

Are you sure there is no session ID? Can you post a link to it?

 

Rob

Rob Bell - Inspired Graphix

Customising osCommerce in Australia, and the world!

View my profile for web and email links.

 

I'm sorry, but i cannot offer Free support via PM etc, and osCommerce forums prohibit me from putting any reference to paid support in my signauture.

However viewing my profile may provide links to my website or something like that which you may find useful.

Link to comment
Share on other sites

Sounds like a session ID problem.

 

Check that your site isn't indexed with session IDs attached to the URL in search engines. Also, enable "Prevent Spider Sessions" in your admin, and enable "recreate session", that should fix any SID crossing (hopefully).

 

Ask your customers who reported it if they are going from a search engine, or just logging on to the site.

 

Rob

Hi Rob. I have just had a similar problem Could you be a little more specific on the first part of your answer? How do I "check that the site isn't indexed with session ids attached to the URL in search engines?"

Link to comment
Share on other sites

I've just had this same problem, after looking at the solutions povided in this thread I came to realise that they simply weren't good enough. Here's why...

 

1) Force Cookie Use: at first this seems like a good idea, I personally have no problem forcing my customers to use cookies. However, the problem arises when the non-ssl and ssl parts of the site are on different URLs because this means the session doesn't persist when switching between different parts of the shop.

 

2) Regenerating the Session: This is ok because now you don't run the risk of customers getting other customers' details. However there is still a shared, un-authenticated session which occurs before customers login or create accounts. While it's not really a security risk, it is an inconvience as customers may find items in their basket they didn't put there or items may start dissappearing from their basket.

 

3) Prevent spider sessions: This is certainly a good thing to enable but it's still not going to totally solve the problem because; a) what's done is done and links with session ids will still last for quite some time, and it doesn't stop problems like people copying & pasting links with session ids into emails, message boards, etc...

 

So after thinking about this I came up with a solution, it's so blazingly obviouse to anyone who's ever dealt with creating secure sessions before that it completely baffles me as to why it is not already in the codebase (hopefully it will be in the next/svn version but god knows when that will be released). My solution is this, if the session id provided doesn't have a valid session in the database, generate a new one just to be safe...ta da! To do this all you need to do is modify the function _sess_open in includes/functions/sessions.php like so:

 

	function _sess_open($save_path, $session_name) {
  // TJO - Dec 2006 : Fix for session stealing problem ///////////////////////////
  $check_query = tep_db_query("select count(*) as total from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input(tep_session_id()) . "'");
  $check = tep_db_fetch_array($check_query);

  if ($check['total'] < 1) {
	// Generate a new session id.
	$new_sid = md5(uniqid(microtime()));
	tep_session_id($new_sid);

	// Set the new cookie id
	$cp = session_get_cookie_params();
	setcookie(tep_session_name(), $new_sid, 0, $cp['path'], $cp['domain']);
  }
  ////////////////////////////////////////////////////////////////////////////////

  return true;
}

 

Hope someone finds this useful, I'm confident with what I have done here, however please feel free to say if you see any problems/mistakes with what I have done

 

All the best,

Tom

Link to comment
Share on other sites

Hi Tom,

 

I found your contribution extremely useful, thank you!!! I was having serious problems with "force cookie use", it wouldn't let anyone checkout at all, would redirect to cookie_usage.php even if cookies were enabled. I think (not sure) this is because I'm on a shared SSL server so the session wouldn't persist, as you mentioned in your post. I tried to install the Sid Killer contrib, however it wouldn't work with the version of SEO URL's I'm using. I was about to uninstall SEO URL's and revert to the previous version, thankfully I found your post and saved myself a lot of work. Nicely done!

 

Thanks again.

Link to comment
Share on other sites

IMPORTANT NOTE ABOUT MY MOD: Just to add the mod I posted previously will not work if "Recreate Session" is set to true since the recreated session will not be a valid session and will get thrown out. This would be fairly simple to fix just by creating the session in the database when the session is recreated, however, I don't feel the need for this setting with my mod so I'm not going to implement it. Therefore, if you use my mod do not enable Recreate Session unless you want to implement the extra code to allow it to work.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...