You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
Ok my company has just gone live with Europacart 7 but we have had a user in Ireland call us and say that when they entered the cart they had another users information already in there, a colleague also found this users address populated in the admin.php screen as well???
2 users no connection, on different continents
user 2, enters site looks at cart and user 1s information including address and product info is there
User 1, email address pre-populated in shop/admin.php
No URL passed from user 1 to user 2
Theory:
Session information is being held on the server and populating 'form and/or $_POST' information under unknown condition from user 1 to user 2
Any help vital as we are contemplating taking the shop down until we can get this sorted.
Thanks
Aaron
Offline
Check your site for a manually created link which includes a session ID (SID). In all cases where what you described has occurred the culprit has been a manually entered link that includes a session ID.
Offline
Thanks Dave, so could anything be writing the link, or should I look in a form $_POST or $_GET ?
Offline
CCP does not generate links that would be incorrect. It would be a link that you added manually to a page somewhere on the site (or outside of the site perhaps using copy&paste). It is unrelated to forms.
Offline
But how would the users information get hard-coded anywhere, they don't have any admin privileges as they are just a customer? Does the CCP store any session information on the server if say cookies on the users PC were switched off?
Please excuse my ignorance in the way this thing works...
Aaron
Last edited by ElbiwNi (07-30-2010 09:13:22)
Offline
The session ID is used to identify a visitor. If you were looking at something for example and copied a link then placed it somewhere on the site your information would be used any time a person clicked on that link. No privileges are involved and having a hard coded session ID only "reveals" some information. Things/places to check are your skin and any web pages you created as well as any pages outside of CCP that you may have added a link to your store to.
Offline
Ok I am off to play, thanks Dave I will post back with any updates
Aaron
Offline
ElbiwNi wrote:
Ok I am off to play, thanks Dave I will post back with any updates
Aaron
Search the skin for "sid=", that should point you to the right direction almost instantly.
Offline
I looked in the skin.php from both the default directory and our specific product directory and there was no mention of 'sid=' in either of them, Am I looking in the wrong place ?
Offline
John, from the information we have gleaned from the customer they are seeing the other customers details and what they have bought, they are not able to see or change credit card details
Offline
A url to the site might help us to see the problem.
What has happened to me in the past, and not alot of times, but when I have deleted order(s) from the database directly thru the raw sql statement and haven't removed the orderitems for the order(s), that sometimes the items show up on the checkout pages in the item break down section. Removing the items from the orderitems database stoped the item from being displayed so if you have deleted any order and didn't remove the items then you could be having this problem. I will say that this hasn't happened all the time and I know that some will say that it will not happen at all but I have seen it on my site although I haven't been able to nail down just how it occures.
John
Offline
Sorry to bring this up again after such a long time but we have just had it happen again, https://www.viconrevue.com/shop/index.php
We can find no links with the SId= criteria set on any external links to the site?
I am on the verge of recommending we change to a different online shop if I can't get this figured out sharpish now!
Last edited by ElbiwNi (04-02-2012 08:50:05)
Offline
ElbiwNi wrote:
Sorry to bring this up again after such a long time but we have just had it happen again, https://www.viconrevue.com/shop/index.php
We can find no links with the SId= criteria set on any external links to the site?
I am on the verge of recommending we change to a different online shop if I can't get this figured out sharpish now!
Can you post your skin.php file inside code tags on here?
Offline
here goes!
<?php /* PHP FUNCTION: Skin startup */ $skinfunc =& $this->include_skinfunc('CORE_SkinFunc'); extract($skinfunc->startup()); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" /> <meta name="generator" content="Kryptronic Software" /> <meta name="keywords" content="<?php print $metakeywords; ?>" /> <meta name="description" content="<?php print $metadesc; ?>" /> <?php /* PHP FUNCTION: Prints the robots tag */ $skinfunc->robotstag(); ?> <base href="<?php print $disp_baseurl; ?>" /> <link rel="stylesheet" type="text/css" media="all" href="https://www.viconrevue.com/shop/skins/Revue/css/all.css" /> <link rel="stylesheet" type="text/css" media="all" href="https://www.viconrevue.com/_css/style.css" /> <link rel="stylesheet" type="text/css" media="all" href="https://www.viconrevue.com/shop/skins/Revue/css/changes.css" /> <?php /* PHP FUNCTION: Prints JavaScript Library code */ $skinfunc->namespace('core','jslib'); ?> <title><?php print $metatitle; ?></title> </head> <body> <div id="skin_wrapper_full"><div id="skin_wrapper"> <table id="skin_ct"> <tr> <td id="skin_ct_lcol_head"> <?php if (!(empty($link_home))) { /* <?php print $link_home; ?> */ ?> <a href="https://www.viconrevue.com/home.html" title="Home"><img src="https://www.viconrevue.com/_images/viconrevue-logo.gif" alt="Home" width="179" height="21" /></a> <?php } else { ?> <img src="https://www.viconrevue.com/_images/viconrevue-logo.gif" alt="Home" width="179" height="21" /> <?php } ?> </td> <td id="skin_ct_rcol_head" colspan="2"> <div id="skin_menu_head"> <ul> <?php if (!(empty($link_home))) {print '<li><a href="https://www.viconrevue.com/home.html" title="Home">Home</a></li>';} /*' . $link_home . '*/ if (!(empty($link_cart))) {print '<li><a href="' . $link_cart . '" title="Shopping Cart">Shopping Cart</a></li>';} if (!(empty($link_checkout))) {print '<li><a href="' . $link_checkout . '" title="Checkout">Checkout</a></li>';} if (!(empty($link_account))) {print '<li><a href="' . $link_account . '" title="Your Account">Your Account</a></li>';} //if (!(empty($link_contact))) {print '<li><a href="' . $link_contact . '" title="Contact">Contact</a></li>';} ?> </ul> </div> <div id="skin_headacct"> <?php /* PHP FUNCTION: Include the miniacctlogin namespace to print either a quick login info. */ $skinfunc->namespace('core','miniacctlogin'); ?> </div> </td> </tr> <tr> <td id="skin_ct_lcol"> <?php /* PHP FUNCTION: Include the frontend menus namespace. Pass LEFT as the menu id here. */ $skinfunc->namespace('core','skinwidgets','LEFT'); ?> <div class="skin_fenavh" id="ecom_skinwidgetcategories_h"><a href="<?php print $skinfunc->link('ecom','prodshow',array('ref' => 'RevueTest')); ?>" title="Purchase Revue">Purchase Revue</a></div> <!-- <div class="skin_fenav" id="ecom_skinwidgetcategories"> <ul> <li><a href="<?php print $skinfunc->link('ecom','prodshow',array('ref' => 'RevueTest')); ?>" title="Vicon Revue">Vicon Revue</a></li> </ul> </div> --> <?php /* PHP FUNCTION: Include the frontend menus namespace. Pass RIGHT as the menu id here. */ $skinfunc->namespace('core','skinwidgets','RIGHT'); ?> </td> <td id="skin_ct_mcol"> <?php /* PHP FUNCTION: Prints the page title. */ $skinfunc->titletag($disp_title); ?> <div id="skin_content"> <?php /* PHP FUNCTION: Print the content for the page. */ $skinfunc->content(); ?> </div> </td> </tr> </table> </div> </div> <div id="skin_footer"> <?php /* PHP FUNCTION: Print the site owner's address and phone numbers here. $skinfunc->printaddphone(); ?> <p>© <?php print $disp_year . ' ' . $site_name; ?>. All rights reserved worldwide.</p> */?> <span class="footer"><a href="../terms.html" class="footer">Terms & Conditions</a> | <a href="../privacy-policy.html" class="footer">Privacy</a> | <a href="http://www.vicon.com/company/" class="footer">Company</a> | <a href="../contact.html" class="footer">Contact</a></span> </div> <?php /* PHP FUNCTION: Run the debug and closure function. */ $skinfunc->debug(); ?> </body> </html>
Offline
I hope that is the correct one jj1987
Offline
Do you have a link(s) on your site that brings people to your cart? Like click here to buy x product? I would check those for SID's.
Offline
I second that suggestion...in many cases, a URL on another site that has incorrectly posted a link to your site can also cause this. I've found that in some cases, if you do a google search for your site URL and the word SID, you can sometimes located the offending link. Also...if you can contact your customer, you can ask them how they found you. In most cases, it will be a site that's only trying to help you, but is unknowingly causing this issue. Credit card details are not really a worry, because they aren't saved on the site...but convincing customers of this fact is not worth trying.
Hope this helps.
Offline
Checked out Google with a site search and nothing:
Your search - sid= site:www.viconrevue.com/shop - did not match any documents.
Your search - "sid=" site:www.viconrevue.com - did not match any documents.
also did a file search on the windows files of the shops root and no files found containing sid=.
Last edited by ElbiwNi (04-03-2012 05:06:18)
Offline
Jeff if it was a hard-coded sid surely that would be the same user information exposed each time, this is not the case!
Offline
jus thad this back from support:
Hello. It appears your cookie settings are configured incorrectly
So where are these settings as I can not find them in the control panel so i assume they are in one of the PHP files any ideas?
Offline
The cookie setting can be changed by running the installer again.
Offline
I have a code fix. What it does is check the current sid against a saved cookie. If there is a mismatch it removes the sid and automatically reloads the page allowing a new sid to be assigned by CCP. This way NO user can load another user's data. Therefore if users share links with a sid or a link is posted on a site with a sid no worries it will be removed automatically.
Note: As long as user doesn't delete his/her cookies the cart data will remain between browser shutdowns. If not they will have to add their data to a cart that wasn't purchased. However I think that is a small price to "pay" to keep users from seeing each other's data.
Please note you make any modifications at your own RISK. I can't speak for your level of technical knowledge. ALWAYS KEEP A BACKUP COPY before making any file changes. Finally please note that running the installer may result in changes.
Now on with it.
1) Open the main "index.php" in your CCP for editing. This may require downloading to your computer first or you may use an on server editor like vi.
2) On a new line after <?php place the following code:
////// Prevent users from reading other sessions $chksid='pass'; $cookiesid='pass'; if (isset($_POST['sid'])) { $chksid=$_POST['sid']; } if (isset($_GET['sid'])) { $chksid=$_GET['sid']; } if (isset($_COOKIE['sid'])) { $cookiesid=$_COOKIE['sid']; } if ($chksid != 'pass' and $chksid != $cookiesid) { $_GET['sid']=''; $_POST['sid']=''; $cleansid=$_SERVER['REQUEST_URI']; $cleansid=str_replace("&sid=$chksid",'',$cleansid); header("Location: $cleansid"); } //////
3) Now save the file and if necessary upload it to your server. There you go. Give it a try.
Last edited by cyberws (04-04-2012 14:07:37)
Offline