compuskill Posted April 8, 2009 Posted April 8, 2009 Hi there, I have a configuration problem: Some customers complain about being unable to open a customer account as they always return to the login.php no matter what they do, and the shopping cart is empty then. Meanwhile, I have found out that that is due to this option I have activated in the configuration section: Check IP Address = true Maybe there are some service providers that do not allow checking the IP or it changes or the traffic is rerouted to proxy servers with different IP addresses or whatever. Anyway, if I deactivate it, people who get to know another customer's session (which normally doesn't happen, but you never know) can simply override the login procedure (password etc.) and mess around the other customer's account, place orders in their name etc. Is there a way to both have a functional shop and meet security requirements? Thanks for helping! :blink:
compuskill Posted April 13, 2009 Author Posted April 13, 2009 Seriously, noone who can help?? B. regards
compuskill Posted April 14, 2009 Author Posted April 14, 2009 Seriously, noone who can help?? B. regards guys, come on.. noone has this problem?
martbean Posted May 11, 2009 Posted May 11, 2009 Hi, This sounds much like the problem I'm having (amongst other people): http://www.oscommerce.com/forums/index.php?showtopic=332249 It was a little while ago I was trying to fix it and I thought I'd tried disabling checking IP addresses, but if you reckon it works I might try it again. You could turn on Check User Agent but there's still a chance two users could have the same browser. I really don't know what the answer is though. I'm only getting this problem on one store (running on a Windows server); all my others (Linux) work fine. The other difference with this server is that it's using shared SSL, though it all seems to work fine for most users.
martbean Posted May 12, 2009 Posted May 12, 2009 Hi again, After a bit of further testing, turning Check IP Address off appears to have solved the problem for me, but as you say, it creates the possibility of someone (maliciously or otherwise) viewing another person's account. I've turned on Check User Agent as a bit of extra security but that's really not enough. Anyone have any ideas? I can't believe more people haven't had this problem... Martin.
BryceJr Posted May 12, 2009 Posted May 12, 2009 Hi again, After a bit of further testing, turning Check IP Address off appears to have solved the problem for me, but as you say, it creates the possibility of someone (maliciously or otherwise) viewing another person's account. I've turned on Check User Agent as a bit of extra security but that's really not enough. Anyone have any ideas? I can't believe more people haven't had this problem... Martin. Click here Same solution >>here
martbean Posted May 12, 2009 Posted May 12, 2009 Hi, Thanks for your reply, but I have those settings set as suggested and am still able to copy the URL (with SID) from one browser to another with the result that both browsers are logged in to the same account. Unfortunately the client is using shared SSL so forcing cookies isn't an option. It also seems that turning 'Check User Agent' on has no effect. Are there any other ways to prevent sessions being shared or do we need to go for dedicated SSL and hope that solves the problem?
martbean Posted May 12, 2009 Posted May 12, 2009 It also seems that turning 'Check User Agent' on has no effect. OK, I've got to the bottom of this particular issue: It's a Windows server which doesn't support getenv so I've had to change the code to $_SERVER["HTTP_USER_AGENT"] instead. That at least now validates the browser which is a start, but it's not perfect.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.