Logged in as another customer?!

[Nick Weisser]

We are facing a serious problem with our live shop. It now happened 2 times that a new customer was automatically logged in as a registered customer (the two having nothing to do with each other) and then ordered something with the wrong payment and shipping details.

The new customer entered the shop a few minutes after the other person had left the shop. Maybe the latter forgot to log off, but even if he did not log off this should not happen!

 

Can anyone imagine how this is possible?

[Almirena]

Are you, by any chance, on a shared server?

[Mark Evans]

Check for hard coded links.

[Nick Weisser]

Are you, by any chance, on a shared server?

 

Yes I am. Is this a problem in itself?

 

Check for hard coded links.

 

Did you have a similar login experience when using hard coded links? Is this a known issue?

 

Thanks for your help

Nick

[Almirena]

Being on a shared server is potentially a problem. If you do a search in the forums, using the keywords "shared server", you'll come up with lots of threads that address this issue. Good luck and happy searching - I'd post the links, but I'm feeling lazy. Besides... dialup is SLOW...!

[wizardsandwars]

Another possible issue here is that the sessions got mixed up. This could happen from time to time with two customers purchasing at exactly the same time.

 

The only wya to be completly safe is to 'force cookie use' which will not allow customers that do not have cookies enabled to purchase, thereby eliminating the session ID begin passed through the URL, which is the cause of the problem.

[Nick Weisser]

Thanks for your replies.

 

I now could trace the problem to links that included the session id, positioned on the startpage. The webmaster wasn't aware that he appended a (normally unique) session id to the link :huh:

 

When two customers entered the shop over the same link, they had the same session id...

 

As we are in a shared server environment we will anyway force cookie usage from now on. No more security issues of this kind, please :rolleyes:

[Guest]

I am having the same problem. How do you "force cookie Use". And what hard coded links should I be looking for.

 

Thank You,

 

frank

[Guest]

You can force cookie usage in configuration, but I think that causes another problem dont recall what tho

Rolf

[mugitty]

I believe that storing sessions in a directory instead of the database also can cause this sort of problem. In your configure.php files, try setting your sessions line as

 

define('STORE_SESSIONS', 'mysql');

 

if its not already set as that

[ReneeC]

I believe that storing sessions in a directory instead of the database also can cause this sort of problem. In your configure.php files, try setting your sessions line as

 

define('STORE_SESSIONS', 'mysql');

 

if its not already set as that

 

We tried this and it caused an error on our admin

 

Warning: main(includes/functions/sessions_mysql.php) [function.main]: failed to create stream: No such file or directory in /catalog/admin/includes/functions/administrators.php on line 72

 

Warning: main() [function.main]: Failed opening 'includes/functions/sessions_mysql.php' for inclusion (include_path='.://local/lib/php') in /catalog/admin/includes/functions/administrators.php on line 72

 

Warning: Cannot modify header information - headers already sent by (output started at /catalog/admin/includes/functions/administrators.php:72) in /catalog/admin/includes/functions/administrators.php on line 87

 

 

Also we are not on a shared server, we have a dedicated server.

 

How do you force cookies?????

We do not have that in the admin panel under configuration, do we have to change it somewhere in the code?

 

Our customers are seeing other customers accounts

[Nick Weisser]

What's the URL of your store?

[ReneeC]

www.bethelwholesale.com

[ReneeC]

Can anyone help?