Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Securty Flaw? osCommerce (2.2) Retaining PayPal Info


lplplpx3

Recommended Posts

Example of what I'm experiencing:

 

Step 1: Log in as Customer1 and complete checkout with PayPal Express (the only method that's available), then Logout.

 

Step 2: Log in as Customer 2 complete checkout but does not take me to the PayPal site's login page (goes straight from Payment Information to Order Confirmation, instead of the PayPal site login page in-between) and allows me to complete/confirm the order BUT is using Customer 1's PayPal data so charges the order to Customer 1's account.

 

If I clear my cache/browser then this is not an issue. How can I ensure this info is not retained and a customer is forced to log into PayPal from the Payment Information page every time. BTW I get the same behavior in both Firefox and Opera (Mac 10.7.4).

 

Also, I am not sure if this is related to a previous problem I had found but was unable to get a resolution for.

http://www.oscommerce.com/forums/topic/387515-the-my-account-page-keeps-prepopulating/page__fromsearch__1

 

Can anyone duplicate this? Or have an idea for a fix.

 

Thank-you.

Link to comment
Share on other sites

  • 6 months later...
  • 2 weeks later...

Hi

 

Try using this http://chrispederick.com/work/web-developer/firefox/ to check the cookies.

 

Also look in the payment module file to see if there is code in the function selection() or pre_confirmation() that is looking for a session or a cookie - somewhere it's finding data that is left over from your earlier visit - if there's a unique PayPal session being created then it should also be killed at logoff or order process - if you look at the bottom of the checkout_process.php file or top of logoff.php you'll see sessions being unregistered - your PayPal module may have those setup elsewhere in the code though.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...