Post by haydent » Fri Jun 07, 2024 5:23 am

This applies to anyone running multiple store fronts, with different domains, (under 1 admin/multi-store), and using the 'login as customer' admin feature.
From my research, trying to use this feature for any store (other than the primary store) does not work in all opencart versions including master.
This is due to browser cookie behavior, and the default cookie "Same-site" setting of "Strict", which is appropriate and regarded as necessary for auth purposes.
The problem will arise if users think they have to change this setting to "Lax" to get this feature to work, as doing so will 'fix/hide' the issue, allowing login from admin to work.
But this is just masking the problem at the cost of security.
The reason login doesnt work with strict, is that the admin is running on (store 0) and you click to login to a customer account on store 1 The OC processes for logging in the the front end are a series appx 3 of controller calls that all redirect to each other on completion in a chain, starting with an admin function on domain1 and ending in front end account functions in domain2.
HTTP redirects dont change cookies at each step, so you only have the one that you start with at the start of the chain, which in this case is restricted to domain1 due to appropriate strict setting. But this does then not apply to domain2 and so the new login setup is lost.
One way to fix this is to break the chain after switching domains and start it again, this can simply be done by using javascript redirection to get cookies going again on the new domain, this js code (window.location) can simply be returned to the browser as output at the end of the controller function instead of header redirect.

I made a github issue and pull request about this issue, only trying to help, yet both were closed/rejected with no feedback or comments from Daniel Kerr the lead dev. This is a common practice for him, so I want surprised, but it is disappointing, considering this is a problem that affects security and all versions.

The redirect chain is generally: customer/customer|login (admin) > account/login|token (front) > account/account (front)


User avatar
Active Member


Wed Nov 09, 2011 9:50 am
Location - Sydney, Australia
Who is online

Users browsing this forum: No registered users and 4 guests