We have an OpenCart 2.3.0.2 instance running on Nginx (nginx/1.11.9), PHP 7.0.22. We are not sure if this is a bug since there is no page/topic that discuss about it. I was searching for "autofill login bug".
The issue reported to us by a customer (CLIENT B): He was able to login to someone else's account because his browser auto filled the login form
using the details of CLIENT A.
So, after CLIENT B successfully logged in to CLIENT A's account, he added his shipping address and he successfully created an order using his own PayPal account, through the use of CLIENT A's Account.
CLIENT A and CLIENT B don't know each other and are from separate places.
CLIENT A's account was approved manually from the Admin.
Our OpenCart setup:
- Newly signed customers are manually approved from the admin dashboard
- Login to see prices activated
- PayPal Express Checkout module activated
- Advertikon Stripe module
Up to this point, we are not able to replicate the issue, but there were 2 incidents already happened as reported by our Store Admins.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
We have seen this happen on one site, and they were using Journal, so it may not be related to the theme.
The code that deals with customer logins is here:
Code: Select all
public function index() {
$this->load->model('account/customer');
// Login override for admin users
if (!empty($this->request->get['token'])) {
$this->customer->logout();
$this->cart->clear();
unset($this->session->data['order_id']);
unset($this->session->data['payment_address']);
unset($this->session->data['payment_method']);
unset($this->session->data['payment_methods']);
unset($this->session->data['shipping_address']);
unset($this->session->data['shipping_method']);
unset($this->session->data['shipping_methods']);
unset($this->session->data['comment']);
unset($this->session->data['coupon']);
unset($this->session->data['reward']);
unset($this->session->data['voucher']);
unset($this->session->data['vouchers']);
$customer_info = $this->model_account_customer->getCustomerByToken($this->request->get['token']);
if ($customer_info && $this->customer->login($customer_info['email'], '', true)) {
// Default Addresses
$this->load->model('account/address');
if ($this->config->get('config_tax_customer') == 'payment') {
$this->session->data['payment_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
}
if ($this->config->get('config_tax_customer') == 'shipping') {
$this->session->data['shipping_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
}
$this->response->redirect($this->url->link('account/account', '', true));
}
}
if ($this->customer->isLogged()) {
$this->response->redirect($this->url->link('account/account', '', true));
}
$this->load->language('account/login');
$this->document->setTitle($this->language->get('heading_title'));
if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {
// Unset guest
unset($this->session->data['guest']);
// Default Shipping Address
$this->load->model('account/address');
if ($this->config->get('config_tax_customer') == 'payment') {
$this->session->data['payment_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
}
if ($this->config->get('config_tax_customer') == 'shipping') {
$this->session->data['shipping_address'] = $this->model_account_address->getAddress($this->customer->getAddressId());
}
// Wishlist
if (isset($this->session->data['wishlist']) && is_array($this->session->data['wishlist'])) {
$this->load->model('account/wishlist');
foreach ($this->session->data['wishlist'] as $key => $product_id) {
$this->model_account_wishlist->addWishlist($product_id);
unset($this->session->data['wishlist'][$key]);
}
}
// Add to activity log
if ($this->config->get('config_customer_activity')) {
$this->load->model('account/activity');
$activity_data = array(
'customer_id' => $this->customer->getId(),
'name' => $this->customer->getFirstName() . ' ' . $this->customer->getLastName()
);
$this->model_account_activity->addActivity('login', $activity_data);
}
// Added strpos check to pass McAfee PCI compliance test (http://forum.opencart.com/viewtopic.php?f=10&t=12043&p=151494#p151295)
if (isset($this->request->post['redirect']) && $this->request->post['redirect'] != $this->url->link('account/logout', '', true) && (strpos($this->request->post['redirect'], $this->config->get('config_url')) !== false || strpos($this->request->post['redirect'], $this->config->get('config_ssl')) !== false)) {
$this->response->redirect(str_replace('&', '&', $this->request->post['redirect']));
} else {
$this->response->redirect($this->url->link('account/account', '', true));
}
}
$data['breadcrumbs'] = array();
$data['breadcrumbs'][] = array(
'text' => $this->language->get('text_home'),
'href' => $this->url->link('common/home')
);
$data['breadcrumbs'][] = array(
'text' => $this->language->get('text_account'),
'href' => $this->url->link('account/account', '', true)
);
$data['breadcrumbs'][] = array(
'text' => $this->language->get('text_login'),
'href' => $this->url->link('account/login', '', true)
);
$data['heading_title'] = $this->language->get('heading_title');
$data['text_new_customer'] = $this->language->get('text_new_customer');
$data['text_register'] = $this->language->get('text_register');
$data['text_register_account'] = $this->language->get('text_register_account');
$data['text_returning_customer'] = $this->language->get('text_returning_customer');
$data['text_i_am_returning_customer'] = $this->language->get('text_i_am_returning_customer');
$data['text_forgotten'] = $this->language->get('text_forgotten');
$data['entry_email'] = $this->language->get('entry_email');
$data['entry_password'] = $this->language->get('entry_password');
$data['button_continue'] = $this->language->get('button_continue');
$data['button_login'] = $this->language->get('button_login');
if (isset($this->session->data['error'])) {
$data['error_warning'] = $this->session->data['error'];
unset($this->session->data['error']);
} elseif (isset($this->error['warning'])) {
$data['error_warning'] = $this->error['warning'];
} else {
$data['error_warning'] = '';
}
$data['action'] = $this->url->link('account/login', '', true);
$data['register'] = $this->url->link('account/register', '', true);
$data['forgotten'] = $this->url->link('account/forgotten', '', true);
// Added strpos check to pass McAfee PCI compliance test (http://forum.opencart.com/viewtopic.php?f=10&t=12043&p=151494#p151295)
if (isset($this->request->post['redirect']) && (strpos($this->request->post['redirect'], $this->config->get('config_url')) !== false || strpos($this->request->post['redirect'], $this->config->get('config_ssl')) !== false)) {
$data['redirect'] = $this->request->post['redirect'];
} elseif (isset($this->session->data['redirect'])) {
$data['redirect'] = $this->session->data['redirect'];
unset($this->session->data['redirect']);
} else {
$data['redirect'] = '';
}
if (isset($this->session->data['success'])) {
$data['success'] = $this->session->data['success'];
unset($this->session->data['success']);
} else {
$data['success'] = '';
}
if (isset($this->request->post['email'])) {
$data['email'] = $this->request->post['email'];
} else {
$data['email'] = '';
}
if (isset($this->request->post['password'])) {
$data['password'] = $this->request->post['password'];
} else {
$data['password'] = '';
}
$data['column_left'] = $this->load->controller('common/column_left');
$data['column_right'] = $this->load->controller('common/column_right');
$data['content_top'] = $this->load->controller('common/content_top');
$data['content_bottom'] = $this->load->controller('common/content_bottom');
$data['footer'] = $this->load->controller('common/footer');
$data['header'] = $this->load->controller('common/header');
$this->response->setOutput($this->load->view('account/login', $data));
}
Where are you hosting the site? Where are the session files being stored? What's the session lifetime?
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
> It's a custom VPS running VestaCP
Where are the session files being stored?
> I'm not sure where to look for this. But I find the following block of texts
Code: Select all
# Cache settings
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
proxy_cache_key "$host$request_uri $cookie_user";
proxy_temp_path /var/cache/nginx/temp;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_valid any 1d;
> Not sure, but I see 10m in "ssl_session_cache shared:SSL:10m;"
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Code: Select all
/home/myuser/tmp
All files there starts with
Code: Select all
sess_
Other than that you could check the session timeout values in php.ini
If there's nothing obvious wrong there it might be worth adjusting some of the code I posted above to prevent it populating login forms.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Code: Select all
session.gc_maxlifetime 1440
Thank you so much for responding.
I don't know PHP so I won't understand the codes you've posted above.
I hope you could post more suggestion on how to fix it or at least where to look at.
I appreciate your help.
I'd probably say that this can't happen if I hadn't seen it myself, but I have and it's very worrying for customers when it happens.
So the proper fix would be to sort out the sessions on your server and find out what exactly is going wrong - there are other posts in this forum about the same issue which would probably benefit from that answer.
A temporary fix might be to adjust the customer login so that it doesn't pre-populate data, and for that you'd probably be best posting in the Commercial Support forum for a paid developer to help.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Here is someone else recently reporting the same issue:
viewtopic.php?f=190&t=186673
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
viewtopic.php?f=190&t=186673
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Users browsing this forum: No registered users and 88 guests