Hi! We started using OpenCart since this year and currently using it live.
We have an OpenCart 2.3.0.2 instance running on Nginx (nginx/1.11.9), PHP 7.0.22. We are not sure if this is a bug since there is no page/topic that discuss about it. I was searching for "autofill login bug".
The issue reported to us by a customer (CLIENT B): He was able to login to someone else's account because his browser auto filled the login form
using the details of CLIENT A.
So, after CLIENT B successfully logged in to CLIENT A's account, he added his shipping address and he successfully created an order using his own PayPal account, through the use of CLIENT A's Account.
CLIENT A and CLIENT B don't know each other and are from separate places.
CLIENT A's account was approved manually from the Admin.
Our OpenCart setup:
- Newly signed customers are manually approved from the admin dashboard
- Login to see prices activated
- PayPal Express Checkout module activated
- Advertikon Stripe module
Up to this point, we are not able to replicate the issue, but there were 2 incidents already happened as reported by our Store Admins.
Can I ask what theme you're using?
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Guru Member
I see.
We have seen this happen on one site, and they were using Journal, so it may not be related to the theme.
The code that deals with customer logins is here:
You can see that it's doing things with request and sessions and pre-populating the form fields, so it might be that sessions aren't being properly cleared or are somehow getting confused.
Where are you hosting the site? Where are the session files being stored? What's the session lifetime?
We have seen this happen on one site, and they were using Journal, so it may not be related to the theme.
The code that deals with customer logins is here:
Code: Select all
public function index() {
$this->load->model('account/customer');
// Login override for admin users
if (!empty($this->request->get['token'])) {
$this->customer->logout();
$this->cart->clear();
unset($this->session->data['order_id']);
unset($this->session->data['payment_address']);
unset($this->session->data['payment_method']);
unset($this->session->data['payment_methods']);
unset($this->session->data['shipping_address']);
unset($this->session->data['shipping_method']);
unset($this->session->data['shipping_methods']);
unset($this->session->data['comment']);
unset($this->session->data['coupon']);
unset($this->session->data['reward']);
unset($this->session->data['voucher']);
unset($this->session->data['vouchers']);
$customer_info = $this->model_account_customer->getCustomerByToken($this->request->get['token']);
if ($customer_info && $this->customer->login($customer_info['email'], '', true)) {
// Default Addresses
$this->load->model('account/address');
if ($this->config->get('config_tax_customer') == 'payment') {
$this->session->data['payment_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
}
if ($this->config->get('config_tax_customer') == 'shipping') {
$this->session->data['shipping_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
}
$this->response->redirect($this->url->link('account/account', '', true));
}
}
if ($this->customer->isLogged()) {
$this->response->redirect($this->url->link('account/account', '', true));
}
$this->load->language('account/login');
$this->document->setTitle($this->language->get('heading_title'));
if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {
// Unset guest
unset($this->session->data['guest']);
// Default Shipping Address
$this->load->model('account/address');
if ($this->config->get('config_tax_customer') == 'payment') {
$this->session->data['payment_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
}
if ($this->config->get('config_tax_customer') == 'shipping') {
$this->session->data['shipping_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
}
// Wishlist
if (isset($this->session->data['wishlist']) && is_array($this->session->data['wishlist'])) {
$this->load->model('account/wishlist');
foreach ($this->session->data['wishlist'] as $key => $product_id) {
$this->model_account_wishlist->addWishlist($product_id);
unset($this->session->data['wishlist'][$key]);
}
}
// Add to activity log
if ($this->config->get('config_customer_activity')) {
$this->load->model('account/activity');
$activity_data = array(
'customer_id' => $this->customer->getId(),
'name' => $this->customer->getFirstName() . ' ' . $this->customer->getLastName()
);
$this->model_account_activity->addActivity('login', $activity_data);
}
// Added strpos check to pass McAfee PCI compliance test (http://forum.opencart.com/viewtopic.php?f=10&t=12043&p=151494#p151295)
if (isset($this->request->post['redirect']) && $this->request->post['redirect'] != $this->url->link('account/logout', '', true) && (strpos($this->request->post['redirect'], $this->config->get('config_url')) !== false || strpos($this->request->post['redirect'], $this->config->get('config_ssl')) !== false)) {
$this->response->redirect(str_replace('&', '&', $this->request->post['redirect']));
} else {
$this->response->redirect($this->url->link('account/account', '', true));
}
}
$data['breadcrumbs'] = array();
$data['breadcrumbs'][] = array(
'text' => $this->language->get('text_home'),
'href' => $this->url->link('common/home')
);
$data['breadcrumbs'][] = array(
'text' => $this->language->get('text_account'),
'href' => $this->url->link('account/account', '', true)
);
$data['breadcrumbs'][] = array(
'text' => $this->language->get('text_login'),
'href' => $this->url->link('account/login', '', true)
);
$data['heading_title'] = $this->language->get('heading_title');
$data['text_new_customer'] = $this->language->get('text_new_customer');
$data['text_register'] = $this->language->get('text_register');
$data['text_register_account'] = $this->language->get('text_register_account');
$data['text_returning_customer'] = $this->language->get('text_returning_customer');
$data['text_i_am_returning_customer'] = $this->language->get('text_i_am_returning_customer');
$data['text_forgotten'] = $this->language->get('text_forgotten');
$data['entry_email'] = $this->language->get('entry_email');
$data['entry_password'] = $this->language->get('entry_password');
$data['button_continue'] = $this->language->get('button_continue');
$data['button_login'] = $this->language->get('button_login');
if (isset($this->session->data['error'])) {
$data['error_warning'] = $this->session->data['error'];
unset($this->session->data['error']);
} elseif (isset($this->error['warning'])) {
$data['error_warning'] = $this->error['warning'];
} else {
$data['error_warning'] = '';
}
$data['action'] = $this->url->link('account/login', '', true);
$data['register'] = $this->url->link('account/register', '', true);
$data['forgotten'] = $this->url->link('account/forgotten', '', true);
// Added strpos check to pass McAfee PCI compliance test (http://forum.opencart.com/viewtopic.php?f=10&t=12043&p=151494#p151295)
if (isset($this->request->post['redirect']) && (strpos($this->request->post['redirect'], $this->config->get('config_url')) !== false || strpos($this->request->post['redirect'], $this->config->get('config_ssl')) !== false)) {
$data['redirect'] = $this->request->post['redirect'];
} elseif (isset($this->session->data['redirect'])) {
$data['redirect'] = $this->session->data['redirect'];
unset($this->session->data['redirect']);
} else {
$data['redirect'] = '';
}
if (isset($this->session->data['success'])) {
$data['success'] = $this->session->data['success'];
unset($this->session->data['success']);
} else {
$data['success'] = '';
}
if (isset($this->request->post['email'])) {
$data['email'] = $this->request->post['email'];
} else {
$data['email'] = '';
}
if (isset($this->request->post['password'])) {
$data['password'] = $this->request->post['password'];
} else {
$data['password'] = '';
}
$data['column_left'] = $this->load->controller('common/column_left');
$data['column_right'] = $this->load->controller('common/column_right');
$data['content_top'] = $this->load->controller('common/content_top');
$data['content_bottom'] = $this->load->controller('common/content_bottom');
$data['footer'] = $this->load->controller('common/footer');
$data['header'] = $this->load->controller('common/header');
$this->response->setOutput($this->load->view('account/login', $data));
}Where are you hosting the site? Where are the session files being stored? What's the session lifetime?
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Guru Member
Where are you hosting the site?
> It's a custom VPS running VestaCP
Where are the session files being stored?
> I'm not sure where to look for this. But I find the following block of texts
What's the session lifetime?
> Not sure, but I see 10m in "ssl_session_cache shared:SSL:10m;"
> It's a custom VPS running VestaCP
Where are the session files being stored?
> I'm not sure where to look for this. But I find the following block of texts
Code: Select all
# Cache settings
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
proxy_cache_key "$host$request_uri $cookie_user";
proxy_temp_path /var/cache/nginx/temp;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_valid any 1d;
> Not sure, but I see 10m in "ssl_session_cache shared:SSL:10m;"
I'm not sure if the /temp path is where session files are stored in this case but the info might be in php.ini
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Guru Member
Maybe this...
As indicated by "session.save_path"
All files there starts with
Code: Select all
/home/myuser/tmpAll files there starts with
Code: Select all
sess_Yep so that's where the session files are stored, it's important to make sure the directory and folder all have the correct permissions, owners and groups.
Other than that you could check the session timeout values in php.ini
If there's nothing obvious wrong there it might be worth adjusting some of the code I posted above to prevent it populating login forms.
Other than that you could check the session timeout values in php.ini
If there's nothing obvious wrong there it might be worth adjusting some of the code I posted above to prevent it populating login forms.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Guru Member
Might be this?
For folder/file permission is as read/write only for the the user.
Thank you so much for responding.
I don't know PHP so I won't understand the codes you've posted above.
I hope you could post more suggestion on how to fix it or at least where to look at.
I appreciate your help.
Code: Select all
session.gc_maxlifetime 1440Thank you so much for responding.
I don't know PHP so I won't understand the codes you've posted above.
I hope you could post more suggestion on how to fix it or at least where to look at.
I appreciate your help.
You can find that sometimes PHP or Apache or Nginx in your case runs as a different user and sometimes struggles to write session files so you might find that a session isn't being properly cleared and somehow being transferred to another user.
I'd probably say that this can't happen if I hadn't seen it myself, but I have and it's very worrying for customers when it happens.
So the proper fix would be to sort out the sessions on your server and find out what exactly is going wrong - there are other posts in this forum about the same issue which would probably benefit from that answer.
A temporary fix might be to adjust the customer login so that it doesn't pre-populate data, and for that you'd probably be best posting in the Commercial Support forum for a paid developer to help.
I'd probably say that this can't happen if I hadn't seen it myself, but I have and it's very worrying for customers when it happens.
So the proper fix would be to sort out the sessions on your server and find out what exactly is going wrong - there are other posts in this forum about the same issue which would probably benefit from that answer.
A temporary fix might be to adjust the customer login so that it doesn't pre-populate data, and for that you'd probably be best posting in the Commercial Support forum for a paid developer to help.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Guru Member
Thanks very much for the private message - usually we do offer paid support but I'm not sure we can quote on this one because it's so hard to replicate it's very hard to know that it's fixed.
Here is someone else recently reporting the same issue:
viewtopic.php?f=190&t=186673
Here is someone else recently reporting the same issue:
viewtopic.php?f=190&t=186673
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Guru Member
Seems this is a duplicate of, so closing this thread, please comment further here:
viewtopic.php?f=190&t=186673
viewtopic.php?f=190&t=186673
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Guru Member
Who is online
Users browsing this forum: No registered users and 88 guests
