Hi
I got a complaint from a customer of my webshop who was logged in with another user account. Session variable was set with another user id. But the customers does not know each other, they also doesn't know each other passwords.
How could this happens?
Did someone of you face same issue?
Shared server/hosting?
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
These lacks of security methods can attract CSRF attackers on taking other sessions while using unprotected web forms throughout the login form based on low quality shared web hosting services.
I would highly recommend to download the CSRF protection form extension: http://www.opencart.com/index.php?route ... on_id=4773 . Download the v2.0x edition.
Then, in your catalog/controller/account/login.php file,
find:
add above:
In your catalog/view/theme/<your_theme>/template/account/login.html file,
find:
add on the very next line:
This will protect and tokenize each individual customers by logging into their account safely without session overrides.
As to address the complaint to the customers, inform them to change their account password on a regular basis to ensure their account privacy safety.
I would highly recommend to download the CSRF protection form extension: http://www.opencart.com/index.php?route ... on_id=4773 . Download the v2.0x edition.
Then, in your catalog/controller/account/login.php file,
find:
Code: Select all
$data['action'] = $this->url->link('account/login', '', true);
Code: Select all
$this->load->model('tool/csrf');
$data['csrf_form_input'] = $this->model_tool_csrf->getCsrfHiddenInput();
find:
Code: Select all
<form
Code: Select all
<?php echo $csrf_form_input; ?>
As to address the complaint to the customers, inform them to change their account password on a regular basis to ensure their account privacy safety.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
It is not a shared host.
I found out customer_ip table to have same ip on different customer_id
This shared ip is used by a global ISP, so I assume both customers use same internet provider.
Could this be a problem?
How session id is generated in opencart? Based on IP only?
I found out customer_ip table to have same ip on different customer_id
This shared ip is used by a global ISP, so I assume both customers use same internet provider.
Could this be a problem?
How session id is generated in opencart? Based on IP only?
Not even by IP. It is simply flagging guest if a sessionized guest super global variable has been defined by a developer for extension purposes which is why I'd still highly recommend to use my above method to protect your login form with HTML form posting method.badboy39 wrote:It is not a shared host.
I found out customer_ip table to have same ip on different customer_id
This shared ip is used by a global ISP, so I assume both customers use same internet provider.
Could this be a problem?
How session id is generated in opencart? Based on IP only?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
It seem your server does not accept passed references through PHP constructors. I have updated my package to match all servers requirements. Re-download the package and re-upload the system/library/csrf.php file and see if you now notice the token from the view source.
Note: Make sure to have uploaded all files from the package. There are only new files included.
Note: Make sure to have uploaded all files from the package. There are only new files included.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Your new version still do not works.
Any how I've fixed it by myself.
The question is, will this module fix my problem? It seams different logins with same ip (eg. shared ip in a company network) is causing this problem:
User A login at PC1; user B login at PC2 => user A will see user B account.
Any how I've fixed it by myself.
The question is, will this module fix my problem? It seams different logins with same ip (eg. shared ip in a company network) is causing this problem:
User A login at PC1; user B login at PC2 => user A will see user B account.
If you believe this error is caused by IP conflict, simply contact your host since the topic you are currently subjecting about was session login and not duplicated IP issues. Sessionized activities should always be based on user accounts rather than guest sessions, in this case.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Can someone explain me these settings at library/session.php:
ini_set('session.use_only_cookies', 'Off');
ini_set('session.use_cookies', 'On');
ini_set('session.use_trans_sid', 'Off');
ini_set('session.cookie_httponly', 'On');
and if I should change it somehow?
My problem was session_start() function generated same hash in different clients, even with different ip addresses.
How could this happen?
ini_set('session.use_only_cookies', 'Off');
ini_set('session.use_cookies', 'On');
ini_set('session.use_trans_sid', 'Off');
ini_set('session.cookie_httponly', 'On');
and if I should change it somehow?
My problem was session_start() function generated same hash in different clients, even with different ip addresses.
How could this happen?
It has only been seen in my experience long ago that the session_id() can be reproduced only based on a high level of traffic on a network or based on a bad libraries installation / configuration which, still, these days doesn't happen really much. However, session functions must be reported to your host on that side since this is not an opencart issue nor was it reported in the past regarding session conflicts generated by a PCI web server.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Did you ever get around to resolving this?
I had the same issue more than a year back.
http://forum.opencart.com/viewtopic.php?f=20&t=139197
Try turning the page cache off, if there is any module which separately manages page cache on your OC install. You can enable image caching though, it has not impact.
Hosting has nothing to do with it, as long as your session data is being stored in a path specific to your hosting account(which is almost always the case). You can modify the session data storage path as well using the php.ini file.
I had the same issue more than a year back.
http://forum.opencart.com/viewtopic.php?f=20&t=139197
Try turning the page cache off, if there is any module which separately manages page cache on your OC install. You can enable image caching though, it has not impact.
Hosting has nothing to do with it, as long as your session data is being stored in a path specific to your hosting account(which is almost always the case). You can modify the session data storage path as well using the php.ini file.
I also encountered similar issue using a different platform. It was a login form by a known VPN service provider, I when I try to login, it auto fills the login form with username/password, so hitting the login button had logged me in to that account.
Similar thing happened to our OpenCart instances, as posted on this thread:
viewtopic.php?f=190&t=187578
Similar thing happened to our OpenCart instances, as posted on this thread:
viewtopic.php?f=190&t=187578
one of my client had this problem, solved by changing how session created
OPENCART MODULE :
Opencart Compare Link Link your compared product to forum/email
Frontend Link From Admin Dashboard Get link to product , category, manufacturer, information from admin backend.
Copy and DIRECTLY Edit Product the easy way.
Custom Product Sort Full control to product sorting options
Already Sold Product Module, shows total product sold
cmiiw, happend on high traffic site
OPENCART MODULE :
Opencart Compare Link Link your compared product to forum/email
Frontend Link From Admin Dashboard Get link to product , category, manufacturer, information from admin backend.
Copy and DIRECTLY Edit Product the easy way.
Custom Product Sort Full control to product sorting options
Already Sold Product Module, shows total product sold
As explained here: viewtopic.php?f=190&t=165170#p628394
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Who is online
Users browsing this forum: No registered users and 181 guests
