Security: Guests accessing restricted pages?

[kevin.i]

Is there a security hole in the code to prevent unauthorized people from viewing pages reserved for registered users?

 

Monitoring Who's Online in the Admin area, I've noticed a few instances of Guests who seem to be accessing pages that should be restricted to people who have registered accounts, for example: account.php

 

account.php contains this code:

 

if (!tep_session_is_registered('customer_id')) {

$navigation->set_snapshot();

tep_redirect(tep_href_link(FILENAME_LOGIN . '', '', 'SSL'));

}

 

 

... and I have the REGISTER GLOBALS contribution installed, so the tep_session_is_registered function in includes/functions/session.php is:

 

function tep_session_is_registered($variable) {

// >>> BEGIN REGISTER_GLOBALS

// return session_is_registered($variable);

return isset($_SESSION[$variable]);

// <<< END REGISTER_GLOBALS

}

 

 

If 'customer_id' is not defined in their session for my site (I have the sessions stored in MySQL) it -should- redirect them to login.php, right?

 

Or is there some way a visitor can bypass this security check?

[Guest]

the tep_update_whos_online() which updates that table that you view in your osc admin comes before the script checks for the customer_id session. So that's why this is happening and no, they do not see the accounts private info.

[kevin.i]

Thanks! I see how it works now. What a relief.