Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security Issue Caused By Session IDs


cou123

Recommended Posts

I have setup an OsCommerce website for a client of mine and we have run into an issue. This has now happened two times on two different forums. So here is what happens.

 

A customer orders something from our website. They then proceed to go back to the forum and tell people that they got a good deal on this certain product and they provide a link to it. Well that link contains their session ID. So what happens is that when someone clicks on the link provided in the forum they are taken to the inside of someone else's account which includes their contact details and order history.

 

Obviously this is a security risk, and causes a lot of complaints from potential customers.

 

Do you have any ideas for fixing this situation? This has now happened two times and the first time we thought it was a fluke, but now this looks like a very serious problem. Is removing session IDs the solution? I have researched this problem and here something about "Forced Cookie Usage". Is this the solution?

 

I want it to somehow not let others to access session ID information for past customers as that is a serious issue.

 

Thank you in advance for your help. The site is running the latest version of OsCommerce.

Link to comment
Share on other sites

 

Do you have any ideas for fixing this situation? This has now happened two times and the first time we thought it was a fluke, but now this looks like a very serious problem. Is removing session IDs the solution? I have researched this problem and here something about "Forced Cookie Usage". Is this the solution?

 

Yep, that is the fix. You should probably have Force Cookie Use, Prevent Spider Sessions, and Recreate Sessions all set to True.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

 

 

On a correctly set up site the sid should only appear with the uri on the first page, if it remains its likely you have failed to configure your site correctly.

 

Other threads that could help:

 

http://www.oscommerce.com/forums/index.php?showtopic=343907

 

http://www.oscommerce.com/forums/topic/350604-remove-prevent-duplicate-content-with-the-canonical-tag

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...