OpenCart Community

Hi

I got a complaint from a customer of my webshop who was logged in with another user account. Session variable was set with another user id. But the customers does not know each other, they also doesn't know each other passwords.

How could this happens?

Did someone of you face same issue?

Shared server/hosting?

These lacks of security methods can attract CSRF attackers on taking other sessions while using unprotected web forms throughout the login form based on low quality shared web hosting services.

I would highly recommend to download the CSRF protection form extension: http://www.opencart.com/index.php?route ... on_id=4773 . Download the v2.0x edition.

Then, in your catalog/controller/account/login.php file,

find:
add above:
In your catalog/view/theme/<your_theme>/template/account/login.html file,

find:
add on the very next line:
This will protect and tokenize each individual customers by logging into their account safely without session overrides.

As to address the complaint to the customers, inform them to change their account password on a regular basis to ensure their account privacy safety.

It is not a shared host.

I found out customer_ip table to have same ip on different customer_id

This shared ip is used by a global ISP, so I assume both customers use same internet provider.

Could this be a problem?

How session id is generated in opencart? Based on IP only?

badboy39 wrote:It is not a shared host.

I found out customer_ip table to have same ip on different customer_id

This shared ip is used by a global ISP, so I assume both customers use same internet provider.

Could this be a problem?

How session id is generated in opencart? Based on IP only?

Not even by IP. It is simply flagging guest if a sessionized guest super global variable has been defined by a developer for extension purposes which is why I'd still highly recommend to use my above method to protect your login form with HTML form posting method.

I'm getting errors:


Notice: Trying to get property of non-object in system\library\csrf.php on line 58

Notice: Indirect modification of overloaded property Csrf::$session has no effect in system\library\csrf.php on line 51

It seem your server does not accept passed references through PHP constructors. I have updated my package to match all servers requirements. Re-download the package and re-upload the system/library/csrf.php file and see if you now notice the token from the view source.

Note: Make sure to have uploaded all files from the package. There are only new files included.

Your new version still do not works.

Any how I've fixed it by myself.

The question is, will this module fix my problem? It seams different logins with same ip (eg. shared ip in a company network) is causing this problem:

User A login at PC1; user B login at PC2 => user A will see user B account.

If you believe this error is caused by IP conflict, simply contact your host since the topic you are currently subjecting about was session login and not duplicated IP issues. Sessionized activities should always be based on user accounts rather than guest sessions, in this case.

Can someone explain me these settings at library/session.php:

ini_set('session.use_only_cookies', 'Off');
ini_set('session.use_cookies', 'On');
ini_set('session.use_trans_sid', 'Off');
ini_set('session.cookie_httponly', 'On');


and if I should change it somehow?

My problem was session_start() function generated same hash in different clients, even with different ip addresses.

How could this happen?

It has only been seen in my experience long ago that the session_id() can be reproduced only based on a high level of traffic on a network or based on a bad libraries installation / configuration which, still, these days doesn't happen really much. However, session functions must be reported to your host on that side since this is not an opencart issue nor was it reported in the past regarding session conflicts generated by a PCI web server.

Did you ever get around to resolving this?

I had the same issue more than a year back.

http://forum.opencart.com/viewtopic.php?f=20&t=139197

Try turning the page cache off, if there is any module which separately manages page cache on your OC install. You can enable image caching though, it has not impact.

Hosting has nothing to do with it, as long as your session data is being stored in a path specific to your hosting account(which is almost always the case). You can modify the session data storage path as well using the php.ini file.

Did someone face this issue in a dedicated host?

Hello.
I m running at vps of Siteground, and I have the same issue.
Siteground investigate the issue from their part and no mechanism for caching sessions or what from his part detected.
So something else it is !
THanks

I have similar issue. My setup is on a VPS running Nginx as reverse proxy. The web server was automatically configured by VestaCP.

I also encountered similar issue using a different platform. It was a login form by a known VPN service provider, I when I try to login, it auto fills the login form with username/password, so hitting the login button had logged me in to that account.

Similar thing happened to our OpenCart instances, as posted on this thread:
viewtopic.php?f=190&t=187578

one of my client had this problem, solved by changing how session created

You have solved it right? Mind if you share how did you replicate the issue in the first place.

Ours just happened randomly.

cosmicx wrote: ↑

Wed Dec 27, 2017 9:22 pm

You have solved it right? Mind if you share how did you replicate the issue in the first place.

Ours just happened randomly.

cmiiw, happend on high traffic site

rempong wrote: ↑

Wed Dec 27, 2017 10:06 pm

cosmicx wrote: ↑

Wed Dec 27, 2017 9:22 pm

You have solved it right? Mind if you share how did you replicate the issue in the first place.

Ours just happened randomly.

cmiiw, happend on high traffic site

As explained here: viewtopic.php?f=190&t=165170#p628394