Kryptronic Software Support Forum

ElbiwNi · 07-30-2010 06:11:09

Ok my company has just gone live with Europacart 7 but we have had a user in Ireland call us and say that when they entered the cart they had another users information already in there, a colleague also found this users address populated in the admin.php screen as well???

2 users no connection, on different continents
user 2, enters site looks at cart and user 1s information including address and product info is there
User 1, email address pre-populated in shop/admin.php
No URL passed from user 1 to user 2

Theory:
Session information is being held on the server and populating 'form and/or $_POST' information under unknown condition from user 1 to user 2

Any help vital as we are contemplating taking the shop down until we can get this sorted.

Thanks

Aaron

Dave · 07-30-2010 06:24:37

Check your site for a manually created link which includes a session ID (SID). In all cases where what you described has occurred the culprit has been a manually entered link that includes a session ID.

ElbiwNi · 07-30-2010 06:33:59

Thanks Dave, so could anything be writing the link, or should I look in a form $_POST or $_GET ?

Dave · 07-30-2010 06:35:00

CCP does not generate links that would be incorrect. It would be a link that you added manually to a page somewhere on the site (or outside of the site perhaps using copy&paste). It is unrelated to forms.

ElbiwNi · 07-30-2010 06:45:31

But how would the users information get hard-coded anywhere, they don't have any admin privileges as they are just a customer? Does the CCP store any session information on the server if say cookies on the users PC were switched off?

Please excuse my ignorance in the way this thing works...

Aaron

Last edited by ElbiwNi (07-30-2010 09:13:22)

Dave · 07-30-2010 06:51:08

The session ID is used to identify a visitor. If you were looking at something for example and copied a link then placed it somewhere on the site your information would be used any time a person clicked on that link. No privileges are involved and having a hard coded session ID only "reveals" some information. Things/places to check are your skin and any web pages you created as well as any pages outside of CCP that you may have added a link to your store to.

ElbiwNi · 07-30-2010 06:53:10

Ok I am off to play, thanks Dave I will post back with any updates

Aaron

KryptoJim · 07-30-2010 08:49:34

ElbiwNi wrote:
Ok I am off to play, thanks Dave I will post back with any updates

Aaron

Search the skin for "sid=", that should point you to the right direction almost instantly.

ElbiwNi · 07-30-2010 08:55:52

I looked in the skin.php from both the default directory and our specific product directory and there was no mention of 'sid=' in either of them, Am I looking in the wrong place ?

dh783 · 07-30-2010 10:15:04

Is the problem getting the orther users name etc or just seeing items in the cart or items listed in the product break down on the checkout pages?

John

ElbiwNi · 07-30-2010 10:29:03

John, from the information we have gleaned from the customer they are seeing the other customers details and what they have bought, they are not able to see or change credit card details

dh783 · 07-30-2010 10:44:53

A url to the site might help us to see the problem.

What has happened to me in the past, and not alot of times, but when I have deleted order(s) from the database directly thru the raw sql statement and haven't removed the orderitems for the order(s), that sometimes the items show up on the checkout pages in the item break down section. Removing the items from the orderitems database stoped the item from being displayed so if you have deleted any order and didn't remove the items then you could be having this problem. I will say that this hasn't happened all the time and I know that some will say that it will not happen at all but I have seen it on my site although I haven't been able to nail down just how it occures.

John

ElbiwNi · 04-02-2012 08:49:32

Sorry to bring this up again after such a long time but we have just had it happen again, https://www.viconrevue.com/shop/index.php

We can find no links with the SId= criteria set on any external links to the site?
I am on the verge of recommending we change to a different online shop if I can't get this figured out sharpish now!

Last edited by ElbiwNi (04-02-2012 08:50:05)

jj1987 · 04-02-2012 11:00:21

ElbiwNi wrote:
Sorry to bring this up again after such a long time but we have just had it happen again, https://www.viconrevue.com/shop/index.php

We can find no links with the SId= criteria set on any external links to the site?
I am on the verge of recommending we change to a different online shop if I can't get this figured out sharpish now!

Can you post your skin.php file inside code tags on here?

ElbiwNi · 04-02-2012 11:05:42

here goes!

Code:

<?php /* PHP FUNCTION: Skin startup */
      $skinfunc =& $this->include_skinfunc('CORE_SkinFunc');
      extract($skinfunc->startup()); ?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />

<meta name="generator" content="Kryptronic Software" />

<meta name="keywords" content="<?php print $metakeywords; ?>" />

<meta name="description" content="<?php print $metadesc; ?>" />

<?php /* PHP FUNCTION: Prints the robots tag */ 
$skinfunc->robotstag(); ?>

<base href="<?php print $disp_baseurl; ?>" />

<link rel="stylesheet" type="text/css" media="all" href="https://www.viconrevue.com/shop/skins/Revue/css/all.css" />
<link rel="stylesheet" type="text/css" media="all" href="https://www.viconrevue.com/_css/style.css" />
<link rel="stylesheet" type="text/css" media="all" href="https://www.viconrevue.com/shop/skins/Revue/css/changes.css" />

<?php /* PHP FUNCTION: Prints JavaScript Library code */ 
$skinfunc->namespace('core','jslib'); ?>

<title><?php print $metatitle; ?></title>

</head>

<body>

<div id="skin_wrapper_full"><div id="skin_wrapper">

<table id="skin_ct">

<tr>

<td id="skin_ct_lcol_head">

<?php if (!(empty($link_home))) { /* <?php print $link_home; ?> */ ?>
<a href="https://www.viconrevue.com/home.html" title="Home"><img src="https://www.viconrevue.com/_images/viconrevue-logo.gif" alt="Home" width="179" height="21" /></a>
<?php } else { ?>
<img src="https://www.viconrevue.com/_images/viconrevue-logo.gif" alt="Home" width="179" height="21" />
<?php } ?>

</td>

<td id="skin_ct_rcol_head" colspan="2">

<div id="skin_menu_head">

<ul>

<?php 
if (!(empty($link_home)))     {print '<li><a href="https://www.viconrevue.com/home.html" title="Home">Home</a></li>';} /*' . $link_home . '*/
if (!(empty($link_cart)))     {print '<li><a href="' . $link_cart . '" title="Shopping Cart">Shopping Cart</a></li>';}
if (!(empty($link_checkout))) {print '<li><a href="' . $link_checkout . '" title="Checkout">Checkout</a></li>';}
if (!(empty($link_account)))  {print '<li><a href="' . $link_account . '" title="Your Account">Your Account</a></li>';}
//if (!(empty($link_contact)))  {print '<li><a href="' . $link_contact . '" title="Contact">Contact</a></li>';}
?>

</ul>

</div>

<div id="skin_headacct">

<?php /* PHP FUNCTION: Include the miniacctlogin namespace to print either a quick login info. */
$skinfunc->namespace('core','miniacctlogin'); ?>

</div>

</td>

</tr>

<tr>

<td id="skin_ct_lcol">

<?php /* PHP FUNCTION: Include the frontend menus namespace.  Pass LEFT as the menu id here. */
$skinfunc->namespace('core','skinwidgets','LEFT'); ?>

<div class="skin_fenavh" id="ecom_skinwidgetcategories_h"><a href="<?php print $skinfunc->link('ecom','prodshow',array('ref' => 'RevueTest')); ?>" title="Purchase Revue">Purchase Revue</a></div>

<!--
<div class="skin_fenav" id="ecom_skinwidgetcategories">
<ul>
     <li><a href="<?php print $skinfunc->link('ecom','prodshow',array('ref' => 'RevueTest')); ?>" title="Vicon Revue">Vicon Revue</a></li>
</ul>

</div>
-->

<?php /* PHP FUNCTION: Include the frontend menus namespace.  Pass RIGHT as the menu id here. */
$skinfunc->namespace('core','skinwidgets','RIGHT'); ?>

</td>

<td id="skin_ct_mcol">

<?php /* PHP FUNCTION: Prints the page title.   */
$skinfunc->titletag($disp_title); ?>

<div id="skin_content">

<?php /* PHP FUNCTION: Print the content for the page.   */
$skinfunc->content(); ?>

</div>

</td>

</tr>

</table>

</div>

</div>

<div id="skin_footer">

<?php /* PHP FUNCTION: Print the site owner's address and phone numbers here.
$skinfunc->printaddphone(); ?>

<p>&copy; <?php print $disp_year . ' ' . $site_name; ?>. All rights reserved worldwide.</p>
*/?>
<span class="footer"><a href="../terms.html" class="footer">Terms &amp; Conditions</a>&nbsp;&nbsp;|&nbsp;&nbsp;<a href="../privacy-policy.html" class="footer">Privacy</a>&nbsp;&nbsp;|&nbsp;&nbsp;<a href="http://www.vicon.com/company/" class="footer">Company</a>&nbsp;&nbsp;|&nbsp;&nbsp;<a href="../contact.html" class="footer">Contact</a></span>
</div>

<?php /* PHP FUNCTION: Run the debug and closure function. */
$skinfunc->debug(); ?>

</body>

</html>

ElbiwNi · 04-02-2012 11:06:49

I hope that is the correct one jj1987

cyberws · 04-02-2012 12:05:24

Do you have a link(s) on your site that brings people to your cart? Like click here to buy x product? I would check those for SID's.

salesdesk · 04-02-2012 17:29:55

I second that suggestion...in many cases, a URL on another site that has incorrectly posted a link to your site can also cause this. I've found that in some cases, if you do a google search for your site URL and the word SID, you can sometimes located the offending link. Also...if you can contact your customer, you can ask them how they found you. In most cases, it will be a site that's only trying to help you, but is unknowingly causing this issue. Credit card details are not really a worry, because they aren't saved on the site...but convincing customers of this fact is not worth trying.

Hope this helps.

ElbiwNi · 04-03-2012 05:02:54

Checked out Google with a site search and nothing:

Your search - sid= site:www.viconrevue.com/shop - did not match any documents.
Your search - "sid=" site:www.viconrevue.com - did not match any documents.

also did a file search on the windows files of the shops root and no files found containing sid=.

Last edited by ElbiwNi (04-03-2012 05:06:18)

ElbiwNi · 04-03-2012 05:05:30

Jeff if it was a hard-coded sid surely that would be the same user information exposed each time, this is not the case!

ElbiwNi · 04-03-2012 05:47:36

jus thad this back from support:

Hello. It appears your cookie settings are configured incorrectly

So where are these settings as I can not find them in the control panel so i assume they are in one of the PHP files any ideas?

zanart · 04-03-2012 11:49:05

The cookie setting can be changed by running the installer again.

cyberws · 04-04-2012 14:06:03

I have a code fix. What it does is check the current sid against a saved cookie. If there is a mismatch it removes the sid and automatically reloads the page allowing a new sid to be assigned by CCP. This way NO user can load another user's data. Therefore if users share links with a sid or a link is posted on a site with a sid no worries it will be removed automatically.

Note: As long as user doesn't delete his/her cookies the cart data will remain between browser shutdowns. If not they will have to add their data to a cart that wasn't purchased. However I think that is a small price to "pay" to keep users from seeing each other's data.

Please note you make any modifications at your own RISK. I can't speak for your level of technical knowledge. ALWAYS KEEP A BACKUP COPY before making any file changes. Finally please note that running the installer may result in changes.

Now on with it.

1) Open the main "index.php" in your CCP for editing. This may require downloading to your computer first or you may use an on server editor like vi.

2) On a new line after <?php place the following code:

Code:

//////     Prevent users from reading other sessions
$chksid='pass';
$cookiesid='pass';

if (isset($_POST['sid'])) {
     $chksid=$_POST['sid'];
}
if (isset($_GET['sid'])) {
     $chksid=$_GET['sid'];
}

if (isset($_COOKIE['sid'])) {
     $cookiesid=$_COOKIE['sid'];
}

if ($chksid != 'pass' and $chksid != $cookiesid) {
     $_GET['sid']='';
     $_POST['sid']='';
     $cleansid=$_SERVER['REQUEST_URI'];
     $cleansid=str_replace("&sid=$chksid",'',$cleansid);
     header("Location: $cleansid");
}
//////

3) Now save the file and if necessary upload it to your server. There you go. Give it a try.

Last edited by cyberws (04-04-2012 14:07:37)

Kryptronic Software Support Forum

#1 07-30-2010 06:11:09

other user information showing in cart BAD THING

#2 07-30-2010 06:24:37

Re: other user information showing in cart BAD THING

#3 07-30-2010 06:33:59

Re: other user information showing in cart BAD THING

#4 07-30-2010 06:35:00

Re: other user information showing in cart BAD THING

#5 07-30-2010 06:45:31

Re: other user information showing in cart BAD THING

#6 07-30-2010 06:51:08

Re: other user information showing in cart BAD THING

#7 07-30-2010 06:53:10

Re: other user information showing in cart BAD THING

#8 07-30-2010 08:49:34

Re: other user information showing in cart BAD THING

ElbiwNi wrote:

#9 07-30-2010 08:55:52

Re: other user information showing in cart BAD THING

#10 07-30-2010 10:15:04

Re: other user information showing in cart BAD THING

#11 07-30-2010 10:29:03

Re: other user information showing in cart BAD THING

#12 07-30-2010 10:44:53

Re: other user information showing in cart BAD THING

#13 04-02-2012 08:49:32

Re: other user information showing in cart BAD THING

#14 04-02-2012 11:00:21

Re: other user information showing in cart BAD THING

ElbiwNi wrote:

#15 04-02-2012 11:05:42

Re: other user information showing in cart BAD THING

Code:

#16 04-02-2012 11:06:49

Re: other user information showing in cart BAD THING

#17 04-02-2012 12:05:24

Re: other user information showing in cart BAD THING

#18 04-02-2012 17:29:55

Re: other user information showing in cart BAD THING

#19 04-03-2012 05:02:54

Re: other user information showing in cart BAD THING

#20 04-03-2012 05:05:30

Re: other user information showing in cart BAD THING

#21 04-03-2012 05:47:36

Re: other user information showing in cart BAD THING

#22 04-03-2012 11:49:05

Re: other user information showing in cart BAD THING

#23 04-04-2012 14:06:03

Re: other user information showing in cart BAD THING

Code:

Board footer