Post by badboy39 » Tue Jul 12, 2016 7:51 pm

Hi

I got a complaint from a customer of my webshop who was logged in with another user account. Session variable was set with another user id. But the customers does not know each other, they also doesn't know each other passwords.

How could this happens?

Did someone of you face same issue?

Newbie

Posts

Joined
Tue Jul 12, 2016 7:43 pm

Post by i2Paq » Tue Jul 12, 2016 8:23 pm

Shared server/hosting?

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

UPGRADE to 2.x: Contemplate before thou begins!

Our FREE search: Find your answer FAST!.

BUGs?: Known BUGS for All OC Versions.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by straightlight » Tue Jul 12, 2016 9:14 pm

These lacks of security methods can attract CSRF attackers on taking other sessions while using unprotected web forms throughout the login form based on low quality shared web hosting services.

I would highly recommend to download the CSRF protection form extension: http://www.opencart.com/index.php?route ... on_id=4773 . Download the v2.0x edition.

Then, in your catalog/controller/account/login.php file,

find:

Code: Select all

$data['action'] = $this->url->link('account/login', '', true);
add above:

Code: Select all

$this->load->model('tool/csrf');

$data['csrf_form_input'] = $this->model_tool_csrf->getCsrfHiddenInput();
In your catalog/view/theme/<your_theme>/template/account/login.html file,

find:

Code: Select all

<form
add on the very next line:

Code: Select all

<?php echo $csrf_form_input; ?>
This will protect and tokenize each individual customers by logging into their account safely without session overrides.

As to address the complaint to the customers, inform them to change their account password on a regular basis to ensure their account privacy safety.

The most generated errors being found on Opencart forum originates from contributed programming.

Regards,
Straightlight


Guru Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by badboy39 » Tue Jul 12, 2016 10:10 pm

It is not a shared host.

I found out customer_ip table to have same ip on different customer_id

This shared ip is used by a global ISP, so I assume both customers use same internet provider.

Could this be a problem?

How session id is generated in opencart? Based on IP only?

Newbie

Posts

Joined
Tue Jul 12, 2016 7:43 pm

Post by straightlight » Tue Jul 12, 2016 10:15 pm

badboy39 wrote:It is not a shared host.

I found out customer_ip table to have same ip on different customer_id

This shared ip is used by a global ISP, so I assume both customers use same internet provider.

Could this be a problem?

How session id is generated in opencart? Based on IP only?
Not even by IP. It is simply flagging guest if a sessionized guest super global variable has been defined by a developer for extension purposes which is why I'd still highly recommend to use my above method to protect your login form with HTML form posting method.

The most generated errors being found on Opencart forum originates from contributed programming.

Regards,
Straightlight


Guru Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by badboy39 » Tue Jul 12, 2016 10:39 pm

I'm getting errors:


Notice: Trying to get property of non-object in system\library\csrf.php on line 58

Notice: Indirect modification of overloaded property Csrf::$session has no effect in system\library\csrf.php on line 51

Newbie

Posts

Joined
Tue Jul 12, 2016 7:43 pm

Post by straightlight » Tue Jul 12, 2016 10:56 pm

It seem your server does not accept passed references through PHP constructors. I have updated my package to match all servers requirements. Re-download the package and re-upload the system/library/csrf.php file and see if you now notice the token from the view source.

Note: Make sure to have uploaded all files from the package. There are only new files included.

The most generated errors being found on Opencart forum originates from contributed programming.

Regards,
Straightlight


Guru Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by badboy39 » Tue Jul 12, 2016 11:15 pm

Your new version still do not works.

Any how I've fixed it by myself.

The question is, will this module fix my problem? It seams different logins with same ip (eg. shared ip in a company network) is causing this problem:

User A login at PC1; user B login at PC2 => user A will see user B account.

Newbie

Posts

Joined
Tue Jul 12, 2016 7:43 pm

Post by straightlight » Tue Jul 12, 2016 11:19 pm

If you believe this error is caused by IP conflict, simply contact your host since the topic you are currently subjecting about was session login and not duplicated IP issues. Sessionized activities should always be based on user accounts rather than guest sessions, in this case.

The most generated errors being found on Opencart forum originates from contributed programming.

Regards,
Straightlight


Guru Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by badboy39 » Wed Jul 13, 2016 12:13 am

Can someone explain me these settings at library/session.php:

ini_set('session.use_only_cookies', 'Off');
ini_set('session.use_cookies', 'On');
ini_set('session.use_trans_sid', 'Off');
ini_set('session.cookie_httponly', 'On');


and if I should change it somehow?

My problem was session_start() function generated same hash in different clients, even with different ip addresses.

How could this happen?

Newbie

Posts

Joined
Tue Jul 12, 2016 7:43 pm

Post by straightlight » Wed Jul 13, 2016 12:17 am

It has only been seen in my experience long ago that the session_id() can be reproduced only based on a high level of traffic on a network or based on a bad libraries installation / configuration which, still, these days doesn't happen really much. However, session functions must be reported to your host on that side since this is not an opencart issue nor was it reported in the past regarding session conflicts generated by a PCI web server.

The most generated errors being found on Opencart forum originates from contributed programming.

Regards,
Straightlight


Guru Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by ASG » Wed Aug 31, 2016 2:20 pm

Did you ever get around to resolving this?

I had the same issue more than a year back.

http://forum.opencart.com/viewtopic.php?f=20&t=139197

Try turning the page cache off, if there is any module which separately manages page cache on your OC install. You can enable image caching though, it has not impact.

Hosting has nothing to do with it, as long as your session data is being stored in a path specific to your hosting account(which is almost always the case). You can modify the session data storage path as well using the php.ini file.

ASG
New member

Posts

Joined
Tue Sep 30, 2014 11:03 pm

Post by badboy39 » Thu Mar 16, 2017 5:53 pm

Did someone face this issue in a dedicated host?

Newbie

Posts

Joined
Tue Jul 12, 2016 7:43 pm

Post by iplocker » Wed Sep 06, 2017 11:03 pm

Hello.
I m running at vps of Siteground, and I have the same issue.
Siteground investigate the issue from their part and no mechanism for caching sessions or what from his part detected.
So something else it is !
THanks

Active Member

Posts

Joined
Sun May 26, 2013 6:39 pm


Post by cosmicx » Wed Sep 13, 2017 12:15 am

I have similar issue. My setup is on a VPS running Nginx as reverse proxy. The web server was automatically configured by VestaCP.

New member

Posts

Joined
Mon Jan 09, 2012 6:27 pm
Who is online

Users browsing this forum: No registered users and 63 guests