cou123 Posted January 4, 2010 Share Posted January 4, 2010 I have setup an OsCommerce website for a client of mine and we have run into an issue. This has now happened two times on two different forums. So here is what happens. A customer orders something from our website. They then proceed to go back to the forum and tell people that they got a good deal on this certain product and they provide a link to it. Well that link contains their session ID. So what happens is that when someone clicks on the link provided in the forum they are taken to the inside of someone else's account which includes their contact details and order history. Obviously this is a security risk, and causes a lot of complaints from potential customers. Do you have any ideas for fixing this situation? This has now happened two times and the first time we thought it was a fluke, but now this looks like a very serious problem. Is removing session IDs the solution? I have researched this problem and here something about "Forced Cookie Usage". Is this the solution? I want it to somehow not let others to access session ID information for past customers as that is a serious issue. Thank you in advance for your help. The site is running the latest version of OsCommerce. Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted January 4, 2010 Share Posted January 4, 2010 Do you have any ideas for fixing this situation? This has now happened two times and the first time we thought it was a fluke, but now this looks like a very serious problem. Is removing session IDs the solution? I have researched this problem and here something about "Forced Cookie Usage". Is this the solution? Yep, that is the fix. You should probably have Force Cookie Use, Prevent Spider Sessions, and Recreate Sessions all set to True. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
spooks Posted January 4, 2010 Share Posted January 4, 2010 On a correctly set up site the sid should only appear with the uri on the first page, if it remains its likely you have failed to configure your site correctly. Other threads that could help: http://www.oscommerce.com/forums/index.php?showtopic=343907 http://www.oscommerce.com/forums/topic/350604-remove-prevent-duplicate-content-with-the-canonical-tag Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.