Ssecurrity Concerns OSC 2.2 MS2

[noelc]

Hi,

 

I have discovered a rather bizarre problem where customers logging in are seeing order details from other customers (not their own!). They are also experiencing problems in placing orders, and are receiving order confirmations for orders that they did not place. I am not able to duplicate the problem being described (although I have been supplied with proof that the problem is real). This is obviously a matter of high importance for me as I am running a live site.

 

I am about to do some checking to see if the relations within the databse have been thrown out for some reason, but would appreciate any suggestions or information from anyone that has experienced this issue.

 

Many thanks :unsure:

[Mark Evans]

There are normally 2 things whuch cause this.

 

1. A link in the site with a hardcoded session id

2. The cache isnt being stored in a unique location if enabled.

 

Can you provide a url so I can see if hardcoded session id's are there?

[peterr]

Hi,

 

Similar to what Mark stated as point 1, I _think_ if a spider/bot crawls your site, and you do not have that spider defined in the file spiders.txt, then it is possible for session ID's to turn up in search engines. Given that possible scenario, two people could have the same session id (at the same time), by using the link to your site.

 

Peter

[noelc]

1. A link in the site with a hardcoded session id

2. The cache isnt being stored in a unique location if enabled.

Thanks for the info - Well, I did accidentally hard code a session ID in an email I sent to customers :(

 

I guess this is behind the problem - now I can't remove that session ID as the emails are already out there. Will it help if I select "Recreate Session" in configuration?

 

Do cookies play any role in this - should I be forcing their usage.

 

Is there anything I can do (other than making sure I don't hard code session ID's of course) to prevent this from happening - particularly in a situation where a search engine might reference a session ID.

 

Not sure what role the cache plays - what happens when I enable that.

 

Thanks - Noel

[noelc]

An update on this - when I force cookie usage, I get the cart being empty everytime a cusotmer goes to complete an order, even when cookies are enabled??

 

 

Full of questions now - soon to be fulll of answers which I promise to share around :-)

[peterr]

Hi,

 

If it helps, I don't force cookies (under 'Admin'). Oders go through okay, and additions to the cart work okay.

 

Peter

[user99999999]

when I force cookie usage, I get the cart being empty everytime a cusotmer goes to complete an order, even when cookies are enabled??

 

I think your cookie settings in catalog/includes/configure.php are not correct.

[noelc]

Thanks Dave, Peter and Mark!

 

All the values seem to be correct in configure.php.

 

(i.e. HTTPS_SERVER, HTTP_COOKIE_DOMAIN, HTTPS_COOKIE_DOMAIN, HTTP_COOKIE_PATH, HTTPS_COOKIE_PATH)

 

cookie issue is a minor problem at the moment because when I do not force cookies all is ok

 

I had hard-coded the session ID in a link to specials.php in an email - as a temporary fix, I have created a second version of specials.php with a new name and added the following to the top of specials.php to redirect to the new page and hopefully strip the session id:

 

<?php

 

$URL="http://www.domain.com/catalog/new_specials.php";

 

header ("Location: $URL");

?>

 

I would have done it based on session id value, but I am new to php (used to perl) and I don't know how (plus left my php book at work)

 

Anyone here know how I could do that, and if what I have done will be ok?

 

Noel

[peterr]

Hi,

 

Do you use MySQL to store sesions ? Take a look at the code in:

 

/catalog/includes/functions/sessions.php

 

Peter

[noelc]

mm - what I had done was a waste of time I think - thanks peter, looking in session.php seems to be the way to go.

 

yes I do you mysql to store sessions

 

now I need to work out how to say if $sessid = '7a99b123abb7fdc37bafd53211fe995d' then recreate the session