Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security hole?


dropdeadred

Recommended Posts

Posted

A friendly user of my website pointed me to this thread about a new item that's available:

 

http://www.moviemusic.com/mb/Forum1/HTML/015471.html

 

Apparently when following a product link with a hard-coded session ID, the next person through was logged in as the person before. Isn't this a horrible security hole? Does anyone have any idea how I would fix that?

Posted
Apparently when following a product link with a hard-coded session ID, the next person through was logged in as the person before. Isn't this a horrible security hole? Does anyone have any idea how I would fix that?

Of course this is a security hole. Created by YOU - not osCommerce! If you do things as silly as passing out links to your site with hard-coded session ID's - what do you expect??

 

OSC (like many other web applications) generates a unique session ID for each visitor to track them as they move around the site. If you give User B User A's session ID then of course they are going to assume User A's session activity.

 

The link on that website you gave should read like this:

 

http://store.gnpcrescendo.com/product_info...ts_id=420

 

not:

 

http://store.gnpcrescendo.com/product_info...20cecfd7028e2f9

Posted

Yeah thanks for the lecture, but the person posted their own link - and what's to stop them doing that? Not created by me at all.

 

Anybody have any suggestions as to how to fix the actual problem?

Posted

Apologies - thought it was *you* that posted that link ;-)

 

To fix the problem - go to Admin > Configuration > Sessions > Recreate Session and set this to True.

 

If set to True the session id will be recreated when the customer tries to checkout or login to their account. This helps prevent two customers from accidently logging into each others account due to hard coded session id's in the store.

Posted
Apologies - thought it was *you* that posted that link ;-)

 

To fix the problem - go to Admin > Configuration > Sessions > Recreate Session and set this to True.

 

If set to True the session id will be recreated when the customer tries to checkout or login to their account. This helps prevent two customers from accidently logging into each others account due to hard coded session id's in the store.

 

Thank you! Site issues like this stress me out, sorry for being snippy.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...