Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 03-23-2009 08:51:36

robprotronica
Member
Registered: 12-16-2008
Posts: 106

sid causing previous customer info to display

Hi,

Somewhere out in the world there is a link to one of my product pages containing a sid.

The link is wwwgpsaffiliate.co.uk/khxc/index.php?ap … 59xxxxx...

From a customer I know the link is somewhere on a product related site, but the customer could not recall exactly where she followed the link from.

Anyone following this link and trying to buy from the site gets access to previous customers name e-mail and address info. They can also order on their credit card and get the goods sent to the previous customer!

I am trying to find where the link is to get it modified, but is there any way I can force a new sid if the site sees the w959xxxx sid above?

Thanks

Rob

Offline

 

#2 03-23-2009 09:02:36

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: sid causing previous customer info to display

There can't possibly be any credit card information associated with using a sid like that.  CCP does not, under any circumstances, store any credit card information.

If you delete that sid from the khxc_sessions table using raw DB admin there will no longer be any information at all associated with it.

Offline

 

#3 03-23-2009 09:40:03

robprotronica
Member
Registered: 12-16-2008
Posts: 106

Re: sid causing previous customer info to display

Hi Dave,

Agreed there is no possibility of credit Card info being retained.

I originally intended to convey that customer 2 paying with customer 2 credit card could get their order sent to a previous customers address - very nearly happened with one of our customers, so this is an issue I need to fix.

I followed your suggestion and deleted the sid from khxc_session no problem.

However, when I tried connecting to the site including the sid in the path - the site accepts the sid, there is a new entry in the khxc_sessions db. This entry does not contain any user info yet, but if someone follows the link containing the sid  and inputs user data we are back to square one.

Any idea on somehow making this particular sid invalid?

Rob

Offline

 

#4 03-23-2009 09:50:25

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: sid causing previous customer info to display

The URL with the sid has been indexed by Google so you'll want to use their webmaster tools to request that the link be removed from the search results.  Do a search for sid= site:gpsaffiliate.co.uk and you'll spot it.

Offline

 

#5 03-23-2009 10:43:51

robprotronica
Member
Registered: 12-16-2008
Posts: 106

Re: sid causing previous customer info to display

Hi Dave,

Have requested google remove the results containing the sid

Also looked through the analytics - we have had 140 visits so far using the sid in the URL. As far as I can tell this particular sid is the only one being referenced so I think there is a site out there somewhere that has linked too us incorrectly.

A google search on the full URL including the sid did not find anything useful - we are trying to find where we have inbound links to see where this rouge link is.

Any way of preventing this sid being used until we find the problem site?

Rob

Offline

 

#6 03-23-2009 11:38:29

robprotronica
Member
Registered: 12-16-2008
Posts: 106

Re: sid causing previous customer info to display

Hi Dave,

Some digging in google analytics and I have found the "rouge" site with the sid in the link to us and have requested this be corrected.

So as long as no one has copied that link we should be OK.

Thanks for your help.

Rob

Offline

 

#7 03-24-2009 10:26:39

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: sid causing previous customer info to display

One way you could make sure it's never used again would be to add a rewrite rule to .htaccess that detects the complete URL with the sid and redirects it to your home page.  After adding that rule deleting the entry from the sessions table should prevent that particular sid from ever being valid again.

Offline

 

#8 03-24-2009 10:54:44

Blitzen
Member
From: USA
Registered: 01-01-2005
Posts: 935

Re: sid causing previous customer info to display

If you use SEO URL's, then you can safely restrict access to your CCP6 URL's with the SID in robots.txt.
That'll help keep good SE's from indexing SID's.

We do that and all our category and products pages using SEO URL's are indexed okay, which are the ones we care about being indexed.

Last edited by Blitzen (03-24-2009 10:58:56)

Offline

 

#9 03-24-2009 11:21:15

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: sid causing previous customer info to display

Search engines are already handled by CCP and no explicit rules should be required.  When a bot is detected the URL they are given will never contain a session ID.

Offline

 

#10 03-25-2009 08:00:34

robprotronica
Member
Registered: 12-16-2008
Posts: 106

Re: sid causing previous customer info to display

Hi Dave,

Thanks for the suggestion of the .htaccess rule - I think that would work fine.

I have checked through the analytics for yesterday and we have no more visits with sid included so I think we have the problem under control.

Also useful to know that the URL's the bots get definitely do not contain sid info.

Thanks.

Rob

Offline

 

Board footer