sahilsaid Posted September 21, 2010 Posted September 21, 2010 Hi guys, I need your help. I have a oscommerce website and every now and then I receive email from customer saying that when they clicked on "My account" link on my website to check the status of their order, they were taken to someone else's account without even logging in to their own account. I really don't know where to start to fix this problem and therefore i came to this forum with lots of hopes. Is this a problem that has to do something with session or SSL? Can someone please guide me to the right direction. Thanks.
Jan Zonjee Posted September 21, 2010 Posted September 21, 2010 Can someone please guide me to the right direction. The right direction is at least not posting support questions in the Tips & Tricks section :angry:
simonhawkins Posted September 23, 2010 Posted September 23, 2010 Hi Sahil, I've just found exactly the same problem - have you had any luck in sorting it out? Simon Hi guys, I need your help. I have a oscommerce website and every now and then I receive email from customer saying that when they clicked on "My account" link on my website to check the status of their order, they were taken to someone else's account without even logging in to their own account. I really don't know where to start to fix this problem and therefore i came to this forum with lots of hopes. Is this a problem that has to do something with session or SSL? Can someone please guide me to the right direction. Thanks.
simonhawkins Posted September 23, 2010 Posted September 23, 2010 I meant to say, on our site it seems to happen if you go to the product_info.php page for the last product that was ordered (by anyone). If you click on the My Account link when you are on that page it takes you through to the account of the person who submitted that last order. Very worrying! Hi Sahil, I've just found exactly the same problem - have you had any luck in sorting it out? Simon
sahilsaid Posted September 23, 2010 Author Posted September 23, 2010 I meant to say, on our site it seems to happen if you go to the product_info.php page for the last product that was ordered (by anyone). If you click on the My Account link when you are on that page it takes you through to the account of the person who submitted that last order. Very worrying! On other forums I found an answer as following: This is why you need to invest in a full ssl certificate and can then turn on the "Force Cookie Use" feature in osCommerce. The reason for this is as follows. 1. When a search engine spider comes to your site osCommerce looks at a file called spiders.txt and if the spider is listed in there it prevents that spider from creating a session id. But if the spider is not listed in that file then it can create a session id. 2. Once it has done that it can add items to a shopping cart, stay on your site for ages and fill up the cart with all your products - removing the chance for anyone else to buy those products (unless you allow people to checkout with products which are out of stock). 3. It can then add the session id to a link on its search results page. Customer "A" comes to your site, creates an account and logs in, then customer "B" comes to your site from the same link with the same session id and ends up in the account of customer "A". 4. You can set "Recreate Session" to "true" in osCommerce, which changes the session id of customer "A" when they log in, but this is not foolproof and can create problems on occasion. It also does not resolve the problem of search engine spiders creating session ids. If you have Full SSL and set Force Cookie Use to true then this stops all search engine spiders from creating session ids. This doesn't prevent them spidering your website, just from creating session ids, adding them to results pages and adding products to the shopping cart. You can only use Force Cookie Use when you have no SSL or Full SSL. It cannot be used with Shared SSL. If you do something like sending out a newsletter with a session id then that can create the same problem. Not the most convincing answer but I have now turned on the cookie usage on my website as I have full SSL and now lets see if that problem occurs again. I don't know how this problem occurs on my website therefore I can check and I will now have to wait for a customer to let me know if the problem occurs. Good to know someone else has same problem and I am not alone. someone with help please post a solution.
simonhawkins Posted September 23, 2010 Posted September 23, 2010 Thanks Sahil - that's really interesting. We'd manually created links to products on the osCommerce site from another site, and included the session info in that link (i.e. the bit that says Csid=dfe03abf6dafc2280b7cd40e51c55484 or whatever). I think it was these links that have caused the problem, although it might be search engine links as well. We don't have ssl unfortunately.
DogFoodIT Posted December 1, 2010 Posted December 1, 2010 Thanks Sahil - that's really interesting. We'd manually created links to products on the osCommerce site from another site, and included the session info in that link (i.e. the bit that says Csid=dfe03abf6dafc2280b7cd40e51c55484 or whatever). I think it was these links that have caused the problem, although it might be search engine links as well. We don't have ssl unfortunately. this is most defiantly the problem as i have seen it in action... a very busy site and watching the whos online you see multiple users logging in and out with the same session id in the row. this issue was caused buy posting the osCsid in the URL in a newsletter/google/other static pages.... recreate session id is good prevent spider sessions set to true is good we had issues with ip and user agent set to true... hope this helps. oh btw if a user orders with a mixed/shared osCsid you will have to check the order details as it will have postage address and address details mixed up so you might send the order to the wrong address... cheers, Ben
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.