I got a complaint from a customer of my webshop who was logged in with another user account. Session variable was set with another user id. But the customers does not know each other, they also doesn't know each other passwords.
How could this happens?
Did someone of you face same issue?
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
I would highly recommend to download the CSRF protection form extension: http://www.opencart.com/index.php?route ... on_id=4773 . Download the v2.0x edition.
Then, in your catalog/controller/account/login.php file,
find:
Code: Select all
$data['action'] = $this->url->link('account/login', '', true);
Code: Select all
$this->load->model('tool/csrf');
$data['csrf_form_input'] = $this->model_tool_csrf->getCsrfHiddenInput();
find:
Code: Select all
<form
Code: Select all
<?php echo $csrf_form_input; ?>
As to address the complaint to the customers, inform them to change their account password on a regular basis to ensure their account privacy safety.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
I found out customer_ip table to have same ip on different customer_id
This shared ip is used by a global ISP, so I assume both customers use same internet provider.
Could this be a problem?
How session id is generated in opencart? Based on IP only?
Not even by IP. It is simply flagging guest if a sessionized guest super global variable has been defined by a developer for extension purposes which is why I'd still highly recommend to use my above method to protect your login form with HTML form posting method.badboy39 wrote:It is not a shared host.
I found out customer_ip table to have same ip on different customer_id
This shared ip is used by a global ISP, so I assume both customers use same internet provider.
Could this be a problem?
How session id is generated in opencart? Based on IP only?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Note: Make sure to have uploaded all files from the package. There are only new files included.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Any how I've fixed it by myself.
The question is, will this module fix my problem? It seams different logins with same ip (eg. shared ip in a company network) is causing this problem:
User A login at PC1; user B login at PC2 => user A will see user B account.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
ini_set('session.use_only_cookies', 'Off');
ini_set('session.use_cookies', 'On');
ini_set('session.use_trans_sid', 'Off');
ini_set('session.cookie_httponly', 'On');
and if I should change it somehow?
My problem was session_start() function generated same hash in different clients, even with different ip addresses.
How could this happen?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
I had the same issue more than a year back.
http://forum.opencart.com/viewtopic.php?f=20&t=139197
Try turning the page cache off, if there is any module which separately manages page cache on your OC install. You can enable image caching though, it has not impact.
Hosting has nothing to do with it, as long as your session data is being stored in a path specific to your hosting account(which is almost always the case). You can modify the session data storage path as well using the php.ini file.
Similar thing happened to our OpenCart instances, as posted on this thread:
viewtopic.php?f=190&t=187578
OPENCART MODULE :
Opencart Compare Link Link your compared product to forum/email
Frontend Link From Admin Dashboard Get link to product , category, manufacturer, information from admin backend.
Copy and DIRECTLY Edit Product the easy way.
Custom Product Sort Full control to product sorting options
Already Sold Product Module, shows total product sold
cmiiw, happend on high traffic site
OPENCART MODULE :
Opencart Compare Link Link your compared product to forum/email
Frontend Link From Admin Dashboard Get link to product , category, manufacturer, information from admin backend.
Copy and DIRECTLY Edit Product the easy way.
Custom Product Sort Full control to product sorting options
Already Sold Product Module, shows total product sold
As explained here: viewtopic.php?f=190&t=165170#p628394
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Users browsing this forum: No registered users and 138 guests