Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

error or breech


Recommended Posts

A customer from a billing address in Arizona bought product for a friend to be shipped to Minnesota and processed it through another customers name/Account in Toronto, ON.


The person who made the purchase does not have the ID or passwaord of the other person and this has happened to various other customers on the site.


I don't see anything in the error logs. I need to fix this asap but I don't know what I'm looking for. How can I tell what the problem is?

Link to comment
Share on other sites

This is simple to identify, but blue murder to cure.


Your site has been indexed by search engines which were allowed to create session ids. This means that the links in those search engines contain those session ids, and people who click on them arrive at your website with the same session id. If one person is already logged in and the new visitor arrives with the same session id then there is crossover between their accounts, their carts etc.


Whenever a new website goes online the first thing a site owner should do under Configuration --> Sesions in osC Admin is set "Prevent spider sessions" to true. In the includes/spiders.txt file there is a list of search engine spiders and if "Prevent spider sessions" is set to true then those spiders are not allowed to create session ids.


Here's another problem - the default osCommerce install has a list of spiders in that file which is years out of date - but there is a contribution at the link below which you need to install:




If your site has SSL then you also need to set "Recreate session id" to true to force updating of session ids when people switch to ssl - this will help with the problem of duplicate session ids but will not cure it.


You then need to access the database via phpMyAdmin and drop all existing sessions in the 'sessions' table. If you don't store sessions in the database but in files inside the 'tmp' folder then you need to delete all those session files.


Advise your customers that if they have saved a Shortcut to your site to delete it and create a new one, and to delete any saved cookies.


You will still have problems for some time - until all search engines update their links with ones which don't contain session ids.


For the future - install a full ssl certificate and then you can turn on "Force Cookie Use" which will prevent all spiders from creating session ids (spiders don't accept cookies).



Link to comment
Share on other sites

I just noticed a problem after I made the changes.


I went in and placed an order to test a payment option. When the order was complete I went back to place another order with a different payment option. I put product to my cart which I can see on the right hand side of my screen, yet when I click "checkout" it says my cart is empty.


Something is VERY wrong. :'(

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...