Post by cosmicx » Tue Sep 12, 2017 5:19 pm

Hi! We started using OpenCart since this year and currently using it live.

We have an OpenCart 2.3.0.2 instance running on Nginx (nginx/1.11.9), PHP 7.0.22. We are not sure if this is a bug since there is no page/topic that discuss about it. I was searching for "autofill login bug".

The issue reported to us by a customer (CLIENT B): He was able to login to someone else's account because his browser auto filled the login form
using the details of CLIENT A.

So, after CLIENT B successfully logged in to CLIENT A's account, he added his shipping address and he successfully created an order using his own PayPal account, through the use of CLIENT A's Account.

CLIENT A and CLIENT B don't know each other and are from separate places.

CLIENT A's account was approved manually from the Admin.

Our OpenCart setup:
- Newly signed customers are manually approved from the admin dashboard
- Login to see prices activated
- PayPal Express Checkout module activated
- Advertikon Stripe module

Up to this point, we are not able to replicate the issue, but there were 2 incidents already happened as reported by our Store Admins.
Last edited by cosmicx on Tue Sep 12, 2017 5:36 pm, edited 1 time in total.

New member

Posts

Joined
Mon Jan 09, 2012 6:27 pm

Post by paulfeakins » Tue Sep 12, 2017 5:33 pm

Can I ask what theme you're using?

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Active Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by cosmicx » Tue Sep 12, 2017 5:34 pm

Fastor Theme

New member

Posts

Joined
Mon Jan 09, 2012 6:27 pm

Post by paulfeakins » Tue Sep 12, 2017 5:45 pm

I see.

We have seen this happen on one site, and they were using Journal, so it may not be related to the theme.

The code that deals with customer logins is here:

Code: Select all

public function index() {
		$this->load->model('account/customer');

		// Login override for admin users
		if (!empty($this->request->get['token'])) {
			$this->customer->logout();
			$this->cart->clear();

			unset($this->session->data['order_id']);
			unset($this->session->data['payment_address']);
			unset($this->session->data['payment_method']);
			unset($this->session->data['payment_methods']);
			unset($this->session->data['shipping_address']);
			unset($this->session->data['shipping_method']);
			unset($this->session->data['shipping_methods']);
			unset($this->session->data['comment']);
			unset($this->session->data['coupon']);
			unset($this->session->data['reward']);
			unset($this->session->data['voucher']);
			unset($this->session->data['vouchers']);

			$customer_info = $this->model_account_customer->getCustomerByToken($this->request->get['token']);

			if ($customer_info && $this->customer->login($customer_info['email'], '', true)) {
				// Default Addresses
				$this->load->model('account/address');

				if ($this->config->get('config_tax_customer') == 'payment') {
					$this->session->data['payment_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
				}

				if ($this->config->get('config_tax_customer') == 'shipping') {
					$this->session->data['shipping_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
				}

				$this->response->redirect($this->url->link('account/account', '', true));
			}
		}

		if ($this->customer->isLogged()) {
			$this->response->redirect($this->url->link('account/account', '', true));
		}

		$this->load->language('account/login');

		$this->document->setTitle($this->language->get('heading_title'));

		if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {
			// Unset guest
			unset($this->session->data['guest']);

			// Default Shipping Address
			$this->load->model('account/address');

			if ($this->config->get('config_tax_customer') == 'payment') {
				$this->session->data['payment_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
			}

			if ($this->config->get('config_tax_customer') == 'shipping') {
				$this->session->data['shipping_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
			}

			// Wishlist
			if (isset($this->session->data['wishlist']) && is_array($this->session->data['wishlist'])) {
				$this->load->model('account/wishlist');

				foreach ($this->session->data['wishlist'] as $key => $product_id) {
					$this->model_account_wishlist->addWishlist($product_id);

					unset($this->session->data['wishlist'][$key]);
				}
			}

			// Add to activity log
			if ($this->config->get('config_customer_activity')) {
				$this->load->model('account/activity');

				$activity_data = array(
					'customer_id' => $this->customer->getId(),
					'name'        => $this->customer->getFirstName() . ' ' . $this->customer->getLastName()
				);

				$this->model_account_activity->addActivity('login', $activity_data);
			}

			// Added strpos check to pass McAfee PCI compliance test (http://forum.opencart.com/viewtopic.php?f=10&t=12043&p=151494#p151295)
			if (isset($this->request->post['redirect']) && $this->request->post['redirect'] != $this->url->link('account/logout', '', true) && (strpos($this->request->post['redirect'], $this->config->get('config_url')) !== false || strpos($this->request->post['redirect'], $this->config->get('config_ssl')) !== false)) {
				$this->response->redirect(str_replace('&', '&', $this->request->post['redirect']));
			} else {
				$this->response->redirect($this->url->link('account/account', '', true));
			}
		}

		$data['breadcrumbs'] = array();

		$data['breadcrumbs'][] = array(
			'text' => $this->language->get('text_home'),
			'href' => $this->url->link('common/home')
		);

		$data['breadcrumbs'][] = array(
			'text' => $this->language->get('text_account'),
			'href' => $this->url->link('account/account', '', true)
		);

		$data['breadcrumbs'][] = array(
			'text' => $this->language->get('text_login'),
			'href' => $this->url->link('account/login', '', true)
		);

		$data['heading_title'] = $this->language->get('heading_title');

		$data['text_new_customer'] = $this->language->get('text_new_customer');
		$data['text_register'] = $this->language->get('text_register');
		$data['text_register_account'] = $this->language->get('text_register_account');
		$data['text_returning_customer'] = $this->language->get('text_returning_customer');
		$data['text_i_am_returning_customer'] = $this->language->get('text_i_am_returning_customer');
		$data['text_forgotten'] = $this->language->get('text_forgotten');

		$data['entry_email'] = $this->language->get('entry_email');
		$data['entry_password'] = $this->language->get('entry_password');

		$data['button_continue'] = $this->language->get('button_continue');
		$data['button_login'] = $this->language->get('button_login');

		if (isset($this->session->data['error'])) {
			$data['error_warning'] = $this->session->data['error'];

			unset($this->session->data['error']);
		} elseif (isset($this->error['warning'])) {
			$data['error_warning'] = $this->error['warning'];
		} else {
			$data['error_warning'] = '';
		}

		$data['action'] = $this->url->link('account/login', '', true);
		$data['register'] = $this->url->link('account/register', '', true);
		$data['forgotten'] = $this->url->link('account/forgotten', '', true);

		// Added strpos check to pass McAfee PCI compliance test (http://forum.opencart.com/viewtopic.php?f=10&t=12043&p=151494#p151295)
		if (isset($this->request->post['redirect']) && (strpos($this->request->post['redirect'], $this->config->get('config_url')) !== false || strpos($this->request->post['redirect'], $this->config->get('config_ssl')) !== false)) {
			$data['redirect'] = $this->request->post['redirect'];
		} elseif (isset($this->session->data['redirect'])) {
			$data['redirect'] = $this->session->data['redirect'];

			unset($this->session->data['redirect']);
		} else {
			$data['redirect'] = '';
		}

		if (isset($this->session->data['success'])) {
			$data['success'] = $this->session->data['success'];

			unset($this->session->data['success']);
		} else {
			$data['success'] = '';
		}

		if (isset($this->request->post['email'])) {
			$data['email'] = $this->request->post['email'];
		} else {
			$data['email'] = '';
		}

		if (isset($this->request->post['password'])) {
			$data['password'] = $this->request->post['password'];
		} else {
			$data['password'] = '';
		}

		$data['column_left'] = $this->load->controller('common/column_left');
		$data['column_right'] = $this->load->controller('common/column_right');
		$data['content_top'] = $this->load->controller('common/content_top');
		$data['content_bottom'] = $this->load->controller('common/content_bottom');
		$data['footer'] = $this->load->controller('common/footer');
		$data['header'] = $this->load->controller('common/header');

		$this->response->setOutput($this->load->view('account/login', $data));
	}
You can see that it's doing things with request and sessions and pre-populating the form fields, so it might be that sessions aren't being properly cleared or are somehow getting confused.

Where are you hosting the site? Where are the session files being stored? What's the session lifetime?

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Active Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by cosmicx » Tue Sep 12, 2017 6:03 pm

Where are you hosting the site?
> It's a custom VPS running VestaCP

Where are the session files being stored?
> I'm not sure where to look for this. But I find the following block of texts

Code: Select all

   # Cache settings
    proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
    proxy_cache_key "$host$request_uri $cookie_user";
    proxy_temp_path  /var/cache/nginx/temp;
    proxy_ignore_headers Expires Cache-Control;
    proxy_cache_use_stale error timeout invalid_header http_502;
    proxy_cache_valid any 1d;
What's the session lifetime?
> Not sure, but I see 10m in "ssl_session_cache shared:SSL:10m;"

New member

Posts

Joined
Mon Jan 09, 2012 6:27 pm

Post by paulfeakins » Tue Sep 12, 2017 6:06 pm

I'm not sure if the /temp path is where session files are stored in this case but the info might be in php.ini

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Active Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by cosmicx » Tue Sep 12, 2017 6:28 pm

Maybe this...

Code: Select all

/home/myuser/tmp
As indicated by "session.save_path"
All files there starts with

Code: Select all

sess_

New member

Posts

Joined
Mon Jan 09, 2012 6:27 pm

Post by paulfeakins » Tue Sep 12, 2017 6:34 pm

Yep so that's where the session files are stored, it's important to make sure the directory and folder all have the correct permissions, owners and groups.

Other than that you could check the session timeout values in php.ini

If there's nothing obvious wrong there it might be worth adjusting some of the code I posted above to prevent it populating login forms.

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Active Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by cosmicx » Tue Sep 12, 2017 6:46 pm

Might be this?

Code: Select all

session.gc_maxlifetime	1440
For folder/file permission is as read/write only for the the user.

Thank you so much for responding.

I don't know PHP so I won't understand the codes you've posted above.

I hope you could post more suggestion on how to fix it or at least where to look at.

I appreciate your help.

New member

Posts

Joined
Mon Jan 09, 2012 6:27 pm

Post by paulfeakins » Tue Sep 12, 2017 7:40 pm

You can find that sometimes PHP or Apache or Nginx in your case runs as a different user and sometimes struggles to write session files so you might find that a session isn't being properly cleared and somehow being transferred to another user.

I'd probably say that this can't happen if I hadn't seen it myself, but I have and it's very worrying for customers when it happens.

So the proper fix would be to sort out the sessions on your server and find out what exactly is going wrong - there are other posts in this forum about the same issue which would probably benefit from that answer.

A temporary fix might be to adjust the customer login so that it doesn't pre-populate data, and for that you'd probably be best posting in the Commercial Support forum for a paid developer to help.

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Active Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by cosmicx » Tue Sep 12, 2017 8:06 pm

Thank you!

One last question please, before I head over to the paid forum - How can we reproduce issue? We tried, but failing.

New member

Posts

Joined
Mon Jan 09, 2012 6:27 pm

Post by paulfeakins » Tue Sep 12, 2017 9:31 pm

Thanks very much for the private message - usually we do offer paid support but I'm not sure we can quote on this one because it's so hard to replicate it's very hard to know that it's fixed.

Here is someone else recently reporting the same issue:
viewtopic.php?f=190&t=186673

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Active Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by cosmicx » Tue Sep 12, 2017 10:22 pm

Well, thank you.
Also for the link.

New member

Posts

Joined
Mon Jan 09, 2012 6:27 pm

Post by paulfeakins » Fri Sep 15, 2017 6:37 pm

Seems this is a duplicate of, so closing this thread, please comment further here:
viewtopic.php?f=190&t=186673

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Active Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom
Who is online

Users browsing this forum: thekrotek and 31 guests