URGENT! Cookies/sessions getting crossed up on checkout!

[Assailantnyc]

I have a serious problem with my oscommerc site. the checkout was slightly modified, but whats happening is people are complaining that when they check out, the fields are already filled in with other peoples information!

 

How can this be happening? I try to recreate the problem but it doesnt happen for me, Where should I start looking/checking? Any help would be great!

[jasonabc]

Admin > Configuration > Sessions > Prevent Spider Sessions - set to TRUE

Admin > Configuration > Sessions > Recreate Session - also set to TRUE

[Assailantnyc]

thanks jason! I really hope that works...recreate session was already set to true, i set prevent spider sessions to true, and all the other options were already set to false...is this the correct configuration? thanks for the reponse!

[jasonabc]

yes those are correct.

 

This can also happen if someone pastes a link to your site but includes their session ID in the link. Anyone that clicks the link will pick up the session ID and any associated activity along with it.

[Assailantnyc]

thanks so much, do you really think that setting is what has been causing this problem to happen frequently?

 

its a real nightmare when a customer calls and says the billing info fields have already been filled in with someone elses information! i sure wouldn't purchase from a site like that.

[jasonabc]

thanks so much, do you really think that setting is what has been causing this problem to happen frequently?

Yes. If a spider comes in and registers a link and includes it's session ID then anyone clicking that link will assume all the activity associated with that session.

[Assailantnyc]

i just tried 5 different times, 3 in IE and 2 times in FF, clearing my cache/cookies before hand..the shipping address keeps getting fiilled with the same name, and the billing is being populated with someone elses name on all 5 attempts.

[Assailantnyc]

UPDATE: Found the problem, the homepage main image was linkable, and the site owner pasted the link with HER session id attached, so whoever clicked that image assumed that same session. I think that was the problem...hopefully im right, good to know about the spider session though. thanks a bunch jason for your help, couldnt have done it without you!

[jenncfi]

I'm having the exact same problem. When I originally created links to the shopping site, I copied the whole url, session id and all (i'm assuming sid=xxx at the end is the session id). So those are old session ID's from when I was in the shopping site month's ago. Can that still be affecting people using those links now. The session ID's would be different for someone logging in today, right?

 

I'm having the problem where any time someone is logged in, and someone else logs in, they see the 1st person's information. I set my sessions as you indicated earlier, spider set to true and recreate set to true. I'm still having the problem.

[clickstream2]

I'm having the problem where any time someone is logged in, and someone else logs in, they see the 1st person's information. I set my sessions as you indicated earlier, spider set to true and recreate set to true. I'm still having the problem.

 

We are having a very similar problem as well.

 

Google has indexed our site with session IDs embedded in the URL and if someone clicks on one of these links and logs in / creates an account. While they are logged in, anybody else who clicks on that Google link will see the other person's details!!!

 

I changed the spider and recreate settings as above. I can appreciate the spider settings could take weeks to have an effect but surely the recreate set to true should work straight away, when a user logs in? I have gone to the site though the Google link, noting the session ID in the URL, logged in and the session in the URL is the same. Surely with Recreate set to true, this should have changed?

[clickstream2]

Managed to sort it out eventually, with a mix of different approaches.

 

In order that I might save others time:

 

It seems "force cookie sessions" or "recreate session" settings would fix the problem but I can't do that because the main site and SSL / secure part of it are on different servers.

 

So my solution was:

 

1. Set "Prevent Spider sessions" to true, which should solve things in the future BUT not the present.

 

2. Downloaded a spiders.txt file from the contributions sections of this site (to ensure it knows about lots of spiders)

 

3. Added the following to the .htaccess file in the main folder of the store

 

RewriteCond %{HTTP_REFERER} !(google|msn|yahoo) [NC]
RewriteRule .* - [S=2]

# case: leading and trailing parameters
RewriteCond %{QUERY_STRING} ^(.+)&osCsid=[0-9a-z]+&(.+)$ [NC]
RewriteRule (.*) catalog/$1?%1&%2 [R=301,L]
#
# case: leading-only, trailing-only or no additional parameters
RewriteCond %{QUERY_STRING} ^(.+)&osCsid=[0-9a-z]+$|^osCsid=[0-9a-z]+&?(.*)$ [NC]
RewriteRule (.*) catalog/$1?%1 [R=301,L]

 

This basically says, if the person is coming from a link from Google, MSN or Yahoo, strip out the session ID from the URL. (note, not 100% guaranteed since the user might be coming through a proxy, which would strip the referrer information.)

 

 

All of it together seems to be working for me at last! :)