Huge problems with confidential info

[dankog]

Ok, guys,

 

I?ve got two huge problems and haven?t seen anyone having similar type of trouble in this forum. I am fairly new in both OsCommerce and PHP and maybe I am just plain stupid so I am posting this for you who are much smarter than me to help me with this thingy.

 

1. Suppose one of my customers, let?s say in Swaziland, (without creating his own account) puts one or many of the products in shopping cart. He goes to shopping cart page to see what he?s got in a shopping cart and it shows him all the products he?s put in. For some reason, he changes his mind, stops shopping and just leaves my site without emptying shopping cart. That?s fine. THE PROBLEM start here: a second customer, let?s say in Greenland, goes to my site and does exactly the same thing as the first one, only this time when he goes to view his shopping cart ? THE PRODUCTS THAT FIRST, SWAZILAND CUSTOMER WANTED TO ORDER ARE SHOWN IN HIS SHOPPING CART!!!!! I stress once again: this happens only in situation when none of the above customers have created their own accounts or when they did not log in to their accounts.

 

2. Second problem is possibly related to the first one. A first, Swaziland customer creates his account orders whatever he orders and leaves my site without logging off from his account. A second, Greenland customer goes to my site, orders some products without creating an account, clicks on Checkout button and, INSTEAD OF TAKING HIM TO LOGIN PAGE, IT GOES STRAIGHT TO ACCOUNT PAGE WITH FIRST, SWAZILAND CUSTOMER?S INFORMATION ON IT.

 

Please help me, I?ve been struggling with this for ages and it is affecting my business. I am using osCommerce 2.2MS2 and my config file looks like this:

 

define('HTTP_SERVER', 'http://www/cubadirecto.com/'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www1.securesiteserver.co.uk/cubadirecto/'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '');

define('HTTPS_COOKIE_DOMAIN', '');

define('HTTP_COOKIE_PATH', '/execsc');

define('HTTPS_COOKIE_PATH', '');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/domains/c/u/cubadirecto.com/public_html/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

// define our database connection

define('DB_SERVER', 'serverXX'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', 'xxxxxxx');

define('DB_SERVER_PASSWORD', 'xxxxxxxx');

define('DB_DATABASE', 'xxxxxxxx');

define('USE_PCONNECT', 'false'); // use persistent connections?

define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'

 

Thanks

[Mark Evans]

This sounds like you have a hardcoded link on your site which includes a session id.

[Mark Evans]

I have just checked your site and you have harcoded sessions on the first page.

 

Remove them and the problem will go away.

 

HTH

[sam6]

Just wondering how or what dose it mean to hard code a session id in a link how is this possible do they copy the url including session id for the link?

[Mark Evans]

Just wondering how or what dose it mean to hard code a session id in a link how is this possible do they copy the url including session id for the link?

Yes if you click on a page and copy the full URL the current session id is saved also.

 

If 2 people click on that link they will both have the same session id.. unless you have check ip address set to true in the admin tool (MS-2 only).

 

HTH

[curiousperson]

that's a bit of a bitch

[dankog]

Thanks a million, Mark

 

you're a life saver. I tested all the possibilities that cause the problem before and none of them appear any more.

 

Thankyou, thank you, thank you.

 

Best REgards

[happyfeetprod]

I have just checked your site and you have harcoded sessions on the first page.

 

Remove them and the problem will go away.

 

HTH

 

 

How do you remove hard coded sessions? im confused? can someone give me step by step directions?

 

cause i have this problem also, one customer from one computer can access the login information of another customer from another place if they both clicked on the same link..

[Guest]

How do you remove hard coded sessions? im confused? can someone give me step by step directions?

 

cause i have this problem also, one customer from one computer can access the login information of another customer from another place if they both clicked on the same link..

install the session regeneration

http://www.oscommerce.com/community/contributions,4112

 

and set the prevent spider sessions to true in your osc Admin,

[happyfeetprod]

install the session regeneration

http://www.oscommerce.com/community/contributions,4112

 

and set the prevent spider sessions to true in your osc Admin,

 

enigma

 

actaully using the search feature i found that regin, but the problem is i just couldnt get it working.. i keep getting errors like blah blah blah line 167 etc..

 

would it be possible for me to hire you to do it directly? can we talk in private? thanks for any help.