Securty Flaw? osCommerce (2.2) Retaining PayPal Info

[lplplpx3]

Example of what I'm experiencing:

 

Step 1: Log in as Customer1 and complete checkout with PayPal Express (the only method that's available), then Logout.

 

Step 2: Log in as Customer 2 complete checkout but does not take me to the PayPal site's login page (goes straight from Payment Information to Order Confirmation, instead of the PayPal site login page in-between) and allows me to complete/confirm the order BUT is using Customer 1's PayPal data so charges the order to Customer 1's account.

 

If I clear my cache/browser then this is not an issue. How can I ensure this info is not retained and a customer is forced to log into PayPal from the Payment Information page every time. BTW I get the same behavior in both Firefox and Opera (Mac 10.7.4).

 

Also, I am not sure if this is related to a previous problem I had found but was unable to get a resolution for.

http://www.oscommerce.com/forums/topic/387515-the-my-account-page-keeps-prepopulating/page__fromsearch__1

 

Can anyone duplicate this? Or have an idea for a fix.

 

Thank-you.

[67Kombi]

If I clear my cache/browser then this is not an issue.

I think that sums it up.

From my understanding of what you've posted. It sounds like the cache/cookies of your browser, not a Paypal/OsCommerce issue.

[Bob Terveuren]

Hi

 

Try using this http://chrispederick.com/work/web-developer/firefox/ to check the cookies.

 

Also look in the payment module file to see if there is code in the function selection() or pre_confirmation() that is looking for a session or a cookie - somewhere it's finding data that is left over from your earlier visit - if there's a unique PayPal session being created then it should also be killed at logoff or order process - if you look at the bottom of the checkout_process.php file or top of logoff.php you'll see sessions being unregistered - your PayPal module may have those setup elsewhere in the code though.