Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Remember Customer Logon? for next time?


FlyingMonkey

Recommended Posts

First of all it is not a good idea to do for it is a major leak in the system. For example if someone closes his explorer and do not clear their cashe and cookies out(most users)... Some other people can buy things using their account (depending no ur system)..

 

sites like amazon do not care if they get 5 or even 10 chargebacks each month since they are a multi-billion companies..

 

If you still insist on doing it, you will have to edit your login.php to store the cookies and/or sessions for a week or so..

 

Salam,

--------------------------------

Link to comment
Share on other sites

sites like amazon do not care if they get 5 or even 10 chargebacks each month since they are a multi-billion companies..

 

Jeff Bezos would think otherwise.

 

Some other people can buy things using their account (depending no ur system)..

 

Amazon requires you to login every time you check and change your account details. Again, do your research.

 

 

Anyway the answer to the original question is you need to set a cookie lifetime.

 

ini_set('session.cookie_lifetime', '5400');

Link to comment
Share on other sites

hmm... this has me worried now. does this really cause a leak in my system? cause i doubt it if amazon would allow such major flaws... or does amazon have additional security? I'm not too worried myself because our system doesn't store credit card numbers, so customers need to enter them manually everytime. But in the future, if we decide to store credit card numbers, the way amazon does. is this a security threat?

Most likely your question has been answered, please do a search first.

Link to comment
Share on other sites

Amazon's system makes the user log in whenever they try to alter account information or make a purchase, but otherwise treats them as logged in. Would there be a way to do the same in osCommerce? Setting the cookie lifetime would keep the user completely logged in, allowing anyone using the computer to make purchases, alter account information, and stuff like that. What's needed is a sort of provisional login state, where the system recognizes the user but requests information if they try to access or change sensitive information.

Link to comment
Share on other sites

Setting the cookie lifetime would keep the user completely logged in, allowing anyone using the computer to make purchases, alter account information, and stuff like that.

 

Amazon use the exact same cookies to keep you logged in, even if you shutdown the browser and open a new one.

 

They use a transient login state which forces you to login again to perform checkouts and change your account information, regardless of your previous login state.

 

Enabling a cookie lifetime will provide the exact functionality as Amazon except OSC uses a global login state which will exhibit the flaw you stated above.

 

Using these cookies is not the issue. The issue is how it is implemented.

 

does this really cause a leak in my system? cause i doubt it if amazon would allow such major flaws... or does amazon have additional security?

 

See above.

 

I'm not too worried myself because our system doesn't store credit card numbers, so customers need to enter them manually everytime. But in the future, if we decide to store credit card numbers, the way amazon does. is this a security threat?

 

Even if someone managed to obtain your login password on Amazon and you already have a credit card on file, they can only ship it to the shipping address you used with the card on a previously successful order.

 

If they try shipping to a different address not associated with the card, Amazon will ask you to re-enter it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...