I see others customers details at checkout 2.3.0.2 OC and Journal2 quick Checkout

Hello.
Some times when I m going to checkout I see some others customers details already filled the checkout fields.
I cant replicate the issue but when it happens I find it very serious .
I dont use any cache tool at my site , also using PHP 7.1 and I have Journal template 2.14.6 and activate Quick Checkout.
Any idea how this is happening ?!
Thanks

Something must have modified your model call. Have you touched the code? Try restoring the code to stock opencart if so. If not, start disabling stuff until you find the culprit. That data comes from the database, it's got to be grabbing the wrong stuff from somewhere. It shouldn't be too hard to figure out for a developer.

Hello.
Well I haven't touch the code of OC , I m using Journal2 theme which they have quick checkout but they are saying that's not theme related.
Of course I am using some extensions but my problem is that I cant replicate the issue, it happens some times , is there is a way when it happens that time to make a debug somehow ?!
Thanks

We've had reports of this on Journal2 but have been unable to replicate and unable to find the cause so far.

Hello.
Thanks for the replies guys.
I found it serious problem if you ask me .
Can I ask please, now with my Firefox every time I m going to checkout I see the required fields the quick checkout needs filled with a customers details , if I will clean the cache of Firefox those fields will be cleaned, so I am asking if I can do something now which I m facing that .
Thanks

Update:
I have disable Journal2 theme and still face the problem with Default Opencart checkout, in Guest Checkout I see more fields filled from the Regist choice.
So its Opencart problem!
From Journal support: " ...even though this surely has nothing to do with our theme. Order id is saved into session and sessions are not handled by us, if there are any problems with php sessions, then this surely is something related to your server setup or Opencart. "

Thanks

I could be an issue with how sessions and set up on your server. Do you have more than 1 OpenCart install on the same server?

Have you also tried clearing your browser cookies?

Hello thanks for replying BUT even if I have 10 opencarts installation at the server , even if I m not clearing my cookies , is it logical to going to login and suddenly I see that I m logged in with a customer account which I have never use his account or know him somehow ?!
I found it pretty serious and dont know how to debug it or replicate it . It happens some times in random times .
Thanks

You said in one of your previous posts mentioned you had the issue on guest checkout. If you did not try to login on the front end or login as a one of your customers from the admin. Then I would say, as the customer's details are not taken from the database, it's most likely that you are somehow getting another customer's session.

If you are logging in as a customer and seeing another customer's details on login then I don't think this would be a session problem. It's more likely to be a database or code problem. You could check your database for errors.

Some topics on similar issues.

Seems to have been caused by a page caching extension.
http://forum.opencart.com/viewtopic.php?f=20&t=139197

Seems to have been an issue with sessions not being unique. It also mentions CSRF, however this would only be an issue if you have clicked a malicious link.
viewtopic.php?t=165170#p628372

Hello .
Thanks for replying.
I dont have any error with the db also no error logs at my site.
Probably is that you re saying: ... it's most likely that you are somehow getting another customer's session....
I have asked my Siteground hosting company and they told me that they are not having any cache system running and keep sessions .
ALso I m not using any cache extension .

PS. I have read at the posts you send me (and thanks for that) that the problem not get resolved.
Thanks

One thing you could check when it happens again is to use your web browser's inspect windows to have a look at your cookies. Check that the default and PHPSESSID cookies values are set to something random. You could also try deleting them and refreshing the page and see what happens to the values.

There's another report of the same thing here:
viewtopic.php?f=190&t=187578&sid=fcb4a4 ... fa32023471

And we have seen this happen, but as the OP says, it's very hard to replicate.

Interesting that both reports are using PHP 7, although that could be just a coincidence.

Might be worth checking your PHP session settings. There are some recommended values here. http://php.net/manual/en/session.security.ini.php

I suspected the issue was Journal, but then the one I've linked to doesn't use Journal.

The case we saw did also use PHP7, but that could be a co-incidence.

We have encountered two similar issues.

Scene 1:

Similar issue involving loging a user via Admin Dashboard, but it goes this way:

- We have two instance of OpenCart, 1 in the root domain (OC-A), the other is in a sub-folder (OC-B).
- When loging-in a user via the Admin of root domain (OC-A), then going to the OC-B - you'll get automatically logged in to a user account.


Scene 2:

The issue was originally posted here:
viewtopic.php?f=190&t=187578

Similar to iplocker's issue, where a user automatically logged in when going to account or checkout page. Or, the login form gets auto filled with user/pass details from another random account.

The issue we're having is similar with badboy39's issue, which you can read on this thread:
viewtopic.php?t=165170#p628372

-----------------------
IN ADDITION:
-----------------------
To add to the details posted on my original thread, please see below:
- Two OpenCart Instance under one domain
- 1 OC instance in root and 1 OC instance in sub-folder
- Site is self-hosted in a VPS running VESTACP using PHP7, Apache2 and Nginx as rproxy.
- Two instances of OpenCart in one domain. 1 in root and 1 in sub-folder.

Any ideas how to troubleshoot the issue, if this is an OpenCart issue, then I may just upgrade to the latest version, since our version is way 2.3.0.2. That might fixed it yeah?

If it may be a server issue, then maybe we'll change to a managed VPS instead.

Please let us know where to look, if you suspect server issue, then please let me know where to look for logs or configs.

I also encountered similar issue using a different platform. It was a login form by a known VPN service provider, I when I try to login, it auto fills the login form with username/password, so hitting the login button had logged me in to that account.

Very similar to my issue which has been posted on this thread:
viewtopic.php?f=190&t=187578

As the password from the login page is only set from a post value. See https://github.com/opencart/opencart/bl ... #L169-L173

It maybe cause by some sort of caching. Are you using any sort of caching extension? Are you able to disable Nginx and just use Apache to test if that's causing the issue?

@ADD Creative

Thanks for the tip. Will work on that using a dev instance.

I am not using any caching plugin, but AFAIK, the NGINX is running as a caching proxy.

...and regarding this:

It maybe cause by some sort of caching. Are you using any sort of caching extension? Are you able to disable Nginx and just use Apache to test if that's causing the issue?

It's hard to tell if the issue is caused by the caching, It's hard to replicate the issue.

We have two version of the issue:
- Version 1: Clients gets randomly logged in to another account. Some client reports that they encounter this during checkout, some reported that when going to the login page, the login form is already populated (auto-filled) with login details from random user accounts.

- Version 2: We have 2 instances of OpenCart, 1 in root and 1 in sub folder. When I go to the root's admin dashboard and log in a customer from there, then going to the sub-folder instance - I'm auto already auto logged in to another user account that I don't own. I can replicate this issue without a miss.

Both could be caused by incorrectly configured caching.

1. If the response from a POST is being incorrectly cached.

2. If the Set-Cookie header is being incorrectly cached.

I've seen similar issue with a forum user yesterday while making some tests on his server. Earlier this year, there was a topic report on the forum which web hosting may filter their POST methods by strict query strings. For instance, an OC admin user would be able to create and edit their products. Although, they would not be able to save their settings.

Cause: catalog/product/add (or edit) and setting/setting

In this case, setting/setting won't be accepted since it does not route to a query string since there are web hosting services believing it could cause XSS vulnerabilities pointing to a direct file without knowing the query string on the posted form restricted from the form action being sent.