Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Logged in as another customer?!


Nick Weisser

Recommended Posts

We are facing a serious problem with our live shop. It now happened 2 times that a new customer was automatically logged in as a registered customer (the two having nothing to do with each other) and then ordered something with the wrong payment and shipping details.

The new customer entered the shop a few minutes after the other person had left the shop. Maybe the latter forgot to log off, but even if he did not log off this should not happen!

 

Can anyone imagine how this is possible?

Link to comment
Share on other sites

Check for hard coded links.

Mark Evans

osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops)

 

---------------------------------------

Software is like sex: It's better when it's free. (Linus Torvalds)

Link to comment
Share on other sites

Are you, by any chance, on a shared server?

 

Yes I am. Is this a problem in itself?

 

Check for hard coded links.

 

Did you have a similar login experience when using hard coded links? Is this a known issue?

 

Thanks for your help

Nick

Link to comment
Share on other sites

Being on a shared server is potentially a problem. If you do a search in the forums, using the keywords "shared server", you'll come up with lots of threads that address this issue. Good luck and happy searching - I'd post the links, but I'm feeling lazy. Besides... dialup is SLOW...!

Link to comment
Share on other sites

Another possible issue here is that the sessions got mixed up. This could happen from time to time with two customers purchasing at exactly the same time.

 

The only wya to be completly safe is to 'force cookie use' which will not allow customers that do not have cookies enabled to purchase, thereby eliminating the session ID begin passed through the URL, which is the cause of the problem.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Thanks for your replies.

 

I now could trace the problem to links that included the session id, positioned on the startpage. The webmaster wasn't aware that he appended a (normally unique) session id to the link :huh:

 

When two customers entered the shop over the same link, they had the same session id...

 

As we are in a shared server environment we will anyway force cookie usage from now on. No more security issues of this kind, please :rolleyes:

Link to comment
Share on other sites

  • 3 months later...

I am having the same problem. How do you "force cookie Use". And what hard coded links should I be looking for.

 

Thank You,

 

frank

Link to comment
Share on other sites

I believe that storing sessions in a directory instead of the database also can cause this sort of problem. In your configure.php files, try setting your sessions line as

 

define('STORE_SESSIONS', 'mysql');

 

if its not already set as that

... if you want to REALLY see something that doesn't set up right out of the box without some tweaking,

try being a Foster Parent!

Link to comment
Share on other sites

  • 2 weeks later...
I believe that storing sessions in a directory instead of the database also can cause this sort of problem. In your configure.php files, try setting your sessions line as

 

define('STORE_SESSIONS', 'mysql');

 

if its not already set as that

 

We tried this and it caused an error on our admin

 

Warning: main(includes/functions/sessions_mysql.php) [function.main]: failed to create stream: No such file or directory in /catalog/admin/includes/functions/administrators.php on line 72

 

Warning: main() [function.main]: Failed opening 'includes/functions/sessions_mysql.php' for inclusion (include_path='.://local/lib/php') in /catalog/admin/includes/functions/administrators.php on line 72

 

Warning: Cannot modify header information - headers already sent by (output started at /catalog/admin/includes/functions/administrators.php:72) in /catalog/admin/includes/functions/administrators.php on line 87

 

 

Also we are not on a shared server, we have a dedicated server.

 

How do you force cookies?????

We do not have that in the admin panel under configuration, do we have to change it somewhere in the code?

 

Our customers are seeing other customers accounts

Link to comment
Share on other sites

  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...