Guest Posted July 26, 2003 Posted July 26, 2003 There seems to be a bug in osCommerce that lets customers use other customers name and go buy their stuff. We've encountered a number of cases now where people shop in other customers name. Is it possible that different sessions gets mixed?
Guest Posted July 26, 2003 Posted July 26, 2003 How are you sure this has happened? What is the version you are using - the date if its a snapshot - first time I have ever seen this mentioned.
Guest Posted July 26, 2003 Posted July 26, 2003 Here's an example: A customer named "John Doe" registered a while back and bought a few games. He's now back at our site just looking around for a new game. Then this other guy enters our site - but to his surprise he gets a welcome message saying "Hello John Doe, welcome back!". He can now go into the account and watch all his criteria and go shop crazy. This has actually happened 3 times to us since we started early March 2003. We've called our customer asking him if he know the other guy, but he don't (of course). Then we called up the other guy who actually made the order - and he could tell us that someone elses name popped up and he just went shopping. We're using "Preview Release 2.2-CVS". I can't remember exactly which date of snapshot, sorry.
peloke Posted July 26, 2003 Posted July 26, 2003 not sure if this would make a difference but are you storing sessions in the db or on the server? Eddie
Guest Posted July 26, 2003 Posted July 26, 2003 We store sessions in DB: define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'
peloke Posted July 26, 2003 Posted July 26, 2003 just curious does your whos_online table contain users who aren't actually 'online'?
Guest Posted July 26, 2003 Posted July 26, 2003 Here's an example: A customer named "John Doe" registered a while back and bought a few games. He's now back at our site just looking around for a new game. Then this other guy enters our site - but to his surprise he gets a welcome message saying "Hello John Doe, welcome back!". He can now go into the account and watch all his criteria and go shop crazy. Just how does he go "shop crazy"? - what payment method is he using to make the purchase?
Guest Posted July 26, 2003 Posted July 26, 2003 I didn't say he went shop crazy, I just says he could have. They usually shop like our regular customers :) We're using the "Cash on delivery" module.
Guest Posted July 26, 2003 Posted July 26, 2003 just curious does your whos_online table contain users who aren't actually 'online'? I'm not sure how this would look like in the whos_online table while this problem occurs... maybe it'd give me some answers?
Guest Posted July 26, 2003 Posted July 26, 2003 What security measure do you have in place for your admin?
Guest Posted July 26, 2003 Posted July 26, 2003 Regular htaccess/htpasswd. Why? Do you think I've been hacked?
judgej Posted July 26, 2003 Posted July 26, 2003 ...first time I have ever seen this mentioned. I'm sure I've seen this mentioned a few times before. I've never seen a solution or reason described though. -- JJ
Guest Posted July 27, 2003 Posted July 27, 2003 I'm sure I've seen this mentioned a few times before. I've never seen a solution or reason described though. -- JJ I have seen *cache* directories get mixed on shared servers, but not sessions - and the chances of identical session_id's is as good as nil.... besides, Frode says that the sessions are stored in the db.... how secure is that?... as secure as your db and configuration files are! If your configuration file is not secure, or at some point has not been, then with only the db_name, user_name, and password it is generally possible to access the db with a script running anywhere on the same shared server, sometimes outside - I have different accounts accessing the same database in some of my installations. I believe this is your OWN security issue, and NOT a bug in osCommerce. What did the POLICE say?
Guest Posted August 6, 2003 Posted August 6, 2003 Well, there seems to be more people complaining about this problem at this forum. Sessions get mixed.
judgej Posted August 6, 2003 Posted August 6, 2003 Well, there seems to be more people complaining about this problem at this forum. Sessions get mixed. Exactly. There is not point living in denial. If one customer can see details of another customer, then there is a problem. Simple as that.
wizardsandwars Posted August 6, 2003 Posted August 6, 2003 He can now go into the account and watch all his criteria and go shop crazy. How can they see account information if they are not logged in? Do you have the 'autho login' contribution installed? I can see how it could be possible for OSC to incorrectly recognize someone by a mixed up session, but even then to view account details, you have to log in. ------------------------------------------------------------------------------------------------------------------------- NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit. If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.