dropdeadred Posted February 16, 2007 Posted February 16, 2007 A friendly user of my website pointed me to this thread about a new item that's available: http://www.moviemusic.com/mb/Forum1/HTML/015471.html Apparently when following a product link with a hard-coded session ID, the next person through was logged in as the person before. Isn't this a horrible security hole? Does anyone have any idea how I would fix that?
jasonabc Posted February 16, 2007 Posted February 16, 2007 Apparently when following a product link with a hard-coded session ID, the next person through was logged in as the person before. Isn't this a horrible security hole? Does anyone have any idea how I would fix that? Of course this is a security hole. Created by YOU - not osCommerce! If you do things as silly as passing out links to your site with hard-coded session ID's - what do you expect?? OSC (like many other web applications) generates a unique session ID for each visitor to track them as they move around the site. If you give User B User A's session ID then of course they are going to assume User A's session activity. The link on that website you gave should read like this: http://store.gnpcrescendo.com/product_info...ts_id=420 not: http://store.gnpcrescendo.com/product_info...20cecfd7028e2f9 Jason My Contributions: Paypal Payflow PRO | Rollover Category Images | Authorize.net Invoice Number Fix
dropdeadred Posted February 16, 2007 Author Posted February 16, 2007 Yeah thanks for the lecture, but the person posted their own link - and what's to stop them doing that? Not created by me at all. Anybody have any suggestions as to how to fix the actual problem?
jasonabc Posted February 16, 2007 Posted February 16, 2007 Apologies - thought it was *you* that posted that link ;-) To fix the problem - go to Admin > Configuration > Sessions > Recreate Session and set this to True. If set to True the session id will be recreated when the customer tries to checkout or login to their account. This helps prevent two customers from accidently logging into each others account due to hard coded session id's in the store. Jason My Contributions: Paypal Payflow PRO | Rollover Category Images | Authorize.net Invoice Number Fix
dropdeadred Posted February 16, 2007 Author Posted February 16, 2007 Apologies - thought it was *you* that posted that link ;-) To fix the problem - go to Admin > Configuration > Sessions > Recreate Session and set this to True. If set to True the session id will be recreated when the customer tries to checkout or login to their account. This helps prevent two customers from accidently logging into each others account due to hard coded session id's in the store. Thank you! Site issues like this stress me out, sorry for being snippy.
Guest Posted February 16, 2007 Posted February 16, 2007 you can use the session regeneration for exactly this type of problem so when someone logs in he will get a new session id. http://www.oscommerce.com/community/contributions,4112
Recommended Posts
Archived
This topic is now archived and is closed to further replies.