Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Order Exploit?!


johnnymke

Recommended Posts

Hi

 

One of my stores had a very unusual error. A customer of mine was able to check out with another customers account without login. Luckily, this customer was smart enough to put in their seperate address info however this disturbs me since it was only caught after she complained about never getting an email. At first I couldnt believe it, however after investigating, its true, the order is under another customers account, a customer who has absolutley no relation with!

 

I contacted this customer to see perhaps if she was on a public computer(?). She claims she was using her private laptop at the time of the purchase. Im running MS2.2.

 

What's going on? Any and all ideas please!!

Link to comment
Share on other sites

If your store is on a shared server, change the last line of includes/configure.php to:

  define('STORE_SESSIONS', 'mysql');

 

This can also happen if the first customer emailed or posted a link to your site that contained a SID. Not much you can do about that, unless you are willing to lose customers.

 

Regards

Jim

See my profile for a list of my addons and ways to get support.

Link to comment
Share on other sites

Thanks, this is great, yes im on a virtual server. I never enabled mysql because in previous versions of OSC it caused serious lag issues. Maybe this wont be so bad. Is there anything I should enable in the admin/config/sessions? I had the session storage enabled only.

Link to comment
Share on other sites

Storing sessions in the database should take care of the problem, at least as far as the server mixing up sessions. The only other thing that you could do is force cookie use, but that will prevent customers from shopping if they do not or cannot accept cookies. I don't really recommend that.

 

Regards

Jim

See my profile for a list of my addons and ways to get support.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...