clickstream Posted January 7, 2008 Share Posted January 7, 2008 Hi, I've looked around the forum and can't see anything similar anywhere else so this problem might have something to do with a bad install or something - but if anyone has any thoughts, please let me know ? People who log on to our site are getting into other peoples accounts. It is a very serious problem as credit card details are being exposed. It doesn't seem to be a case of people hacking into accounts. It seems that genuine registered members are making purchases but just the wrong details are being pulled in and are being used. So we have people receiving notification of orders that they have not placed and there seems to be a mix of details of two different registered members. We got PAIR ( the hosting company ) to do a database repair ( clutching at straws a little ) and it did seem to solve the problem ( at least the reports of the problem stopped ) but we're getting the same problem again now. We've tried replicating the problem using test accounts but can't do so. And so because it's quite random, it's really tough to know where to start investigating - so if anyone has any thoughts on this, please let me know ? My own thoughts are to try and reinstall of OSCommerce from scratch ? Any advice greatly appreciated !!!! regards, Mark Link to comment Share on other sites More sharing options...
edschaum Posted January 7, 2008 Share Posted January 7, 2008 Hi, I've looked around the forum and can't see anything similar anywhere else so this problem might have something to do with a bad install or something - but if anyone has any thoughts, please let me know ? People who log on to our site are getting into other peoples accounts. It is a very serious problem as credit card details are being exposed. It doesn't seem to be a case of people hacking into accounts. It seems that genuine registered members are making purchases but just the wrong details are being pulled in and are being used. So we have people receiving notification of orders that they have not placed and there seems to be a mix of details of two different registered members. We got PAIR ( the hosting company ) to do a database repair ( clutching at straws a little ) and it did seem to solve the problem ( at least the reports of the problem stopped ) but we're getting the same problem again now. We've tried replicating the problem using test accounts but can't do so. And so because it's quite random, it's really tough to know where to start investigating - so if anyone has any thoughts on this, please let me know ? My own thoughts are to try and reinstall of OSCommerce from scratch ? Any advice greatly appreciated !!!! regards, Mark Two things come to mind - Are you on a shared hosting server? If more than 1 osc installation is running on the same shared server, there have been cases of the tmp files getting mixed up between the accounts. Another possibility is that there are links out there with session id's attached to them, which could conceivably cause strange behavior. Ed Link to comment Share on other sites More sharing options...
gayla Posted January 7, 2008 Share Posted January 7, 2008 Two things come to mind - Are you on a shared hosting server? If more than 1 osc installation is running on the same shared server, there have been cases of the tmp files getting mixed up between the accounts. Another possibility is that there are links out there with session id's attached to them, which could conceivably cause strange behavior. Ed Nevermind..nothing to see here..apparently I'm not multi-tasking well this morning! Link to comment Share on other sites More sharing options...
Guest Posted January 8, 2008 Share Posted January 8, 2008 Make sure that in admin you have in mystore Use Search-Engine Safe URLs (still in development) set to false Link to comment Share on other sites More sharing options...
clickstream Posted January 8, 2008 Author Share Posted January 8, 2008 Two things come to mind - Are you on a shared hosting server? If more than 1 osc installation is running on the same shared server, there have been cases of the tmp files getting mixed up between the accounts. Another possibility is that there are links out there with session id's attached to them, which could conceivably cause strange behavior. Ed Hi Ed, Thanks for your response - Google links with session ids seems to be definitely the cause of the problem - we've recreated the problem whereby two people here in the office have clicked on the same Google link ( containing a session id ) and the second person is being brought into the first person's account. To try and stop this problem, we've set to 'TRUE' the 'Recreate Session' option in the Configuration>Sessions panel. But this doesn't actually seem to work, a new session id doesn't seem to be generated when we click on a Google link ( containing a session id ) and then login, the same session id remains the same. So the problem still remains :-( Any thoughts on how to deal with this session id issue ?! Are any of the other session variables worth trying ? To try and prevent Google caching more links containing sessions ids, we've set the 'Prevent Spider Sessions' to TRUE as this had been set to FALSE. So any advice on how we can flush all the links in Google's cache that contain sessions ids would be appreciated as well. But first and foremost, anyone any ideas on how to deal with the fact that there are links out there with sessions ids in them ? Again, any help much appreciated as this is a huge concern for the site owners !! thanks, Mark Link to comment Share on other sites More sharing options...
edschaum Posted January 8, 2008 Share Posted January 8, 2008 Hi Ed, Thanks for your response - Google links with session ids seems to be definitely the cause of the problem - we've recreated the problem whereby two people here in the office have clicked on the same Google link ( containing a session id ) and the second person is being brought into the first person's account. To try and stop this problem, we've set to 'TRUE' the 'Recreate Session' option in the Configuration>Sessions panel. But this doesn't actually seem to work, a new session id doesn't seem to be generated when we click on a Google link ( containing a session id ) and then login, the same session id remains the same. So the problem still remains :-( Any thoughts on how to deal with this session id issue ?! Are any of the other session variables worth trying ? To try and prevent Google caching more links containing sessions ids, we've set the 'Prevent Spider Sessions' to TRUE as this had been set to FALSE. So any advice on how we can flush all the links in Google's cache that contain sessions ids would be appreciated as well. But first and foremost, anyone any ideas on how to deal with the fact that there are links out there with sessions ids in them ? Again, any help much appreciated as this is a huge concern for the site owners !! thanks, Mark There might be a solution right here somewhere, but I also found a possible solution on Chemo's blog. Google "bobby chemo oscommerce blog" to find his site, then scroll down to the section titled "How to remove session ID appended URLs from the search engine index" I don't really know if this works or if there's a better solution already here on this site, but it might be a good place to start. Ed Link to comment Share on other sites More sharing options...
edschaum Posted January 8, 2008 Share Posted January 8, 2008 Another thought - The above solution will probably cause the session id's to eventually disappear from search engine results, but you may also have to prevent it from happening again. I think there are various session id killer contribs here that might help, but there might also be settings that you can change in admin that will help. I can't give you specific advice on what to change in the admin section, my version is very old and doesn't have all of those session options. Maybe someone else can tell you what settings to enable in admin to prevent this from happening again. Ed Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.