URGENT : Customer details mismatch in orders

[baronmunchowsen]

I realise that my post may not be too useful. Here are further details of the way my store is configured:

 

in configure.php:

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

in Configuration->Cache

 

Use Cache: false

Cache Directory: /tmp/

 

in Configuration->Sessions

 

Session Directory: /tmp

Force Cookie Use: False

Check SSL Session ID: False

Check User Agent: False

Check IP Address: False

Prevent Spider Sessions : True

Recreate Session: False

 

I'm on shared hosting and register_globals is on.

 

PHP Version 4.4.2

 

Happy to provide further details. Also, the osCsid NEVER dissapears from my url string, no matter how many 'clicks'.

 

I must say I'm surprised that no-one has offered a satisfactory fix to this. This kind of thing is really embarrasing to deal with when you have to call a customer and say 'I think our cart messed up'.

[msrichard]

Hi,

 

I had the problem of customer records getting mixed up. I?ve pretty much concluded it was because a session id was in a link to my site on someone else?s site that a customer was using to tell others about one of my products. To avoid this happening again, I want to remove the session id from my url when possible. From what I read on the forums, the session id should be gone after a couple of clicks if cookies are enabled in the customers browser. I have cookies enabled in my browser and I am still getting the session id in the url. They do not disappear after a few clicks. I have searched the forums and the best I can tell is there is something wrong with my cookie settings in the configure file. Below are my settings. If anyone sees a problem below or if they know of something else I must do please let me know.

 

I am using shared SSL

 

My includes/configure.php file:

 

define('HTTP_SERVER', 'http://www.frameknitting.com');

define('HTTPS_SERVER', 'https://frameknitting.com');

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.frameknitting.com');

define('HTTPS_COOKIE_DOMAIN', 'frameknitting.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

 

 

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']));

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

 

Both of my configure files have:

define('STORE_SESSIONS', 'mysql');

 

 

SESSION SETTINGS

 

session directory /tmp

force cookie use false

check ssl session id false

check user agent false

check IP address false

prevent spider sessions true

recreate session false

 

Thanks,

Marla

[baronmunchowsen]

I just heard from my client in regard to the jumbled up addresses. They have let me know that no link has been given out to the site with an osCid variable in the hyperlink, such as:

 

catalog/index.php?cPath=22&osCsid=c97d045b48d2c572e03948637feb9d7b

 

So it would seem that jumbled up addresses are not a result of multiple users using a link with a session id in it???

[dittones]

Baron...

 

Do you have cacheing on and using shared server...If you have it turned

on may try turnning it off see if that corrects problem..

Good luck

Roman

[baronmunchowsen]

Baron...

 

Do you have cacheing on and using shared server...If you have it turned

on may try turnning it off see if that corrects problem..

Good luck

Roman

 

Hi Roman,

 

Thanks. I am on a shared server. I have always had the following settings in Configuration->Cache

 

Use Cache false

Cache Directory /tmp/

 

Are these the cache settings you refer too?

 

Thanks

[dittones]

Baron...

 

Yes...

 

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

 

I have my setting as such....

 

define('HTTP_COOKIE_PATH', '/storname/');

define('HTTPS_COOKIE_PATH', ''/storname/');

define('DIR_WS_HTTP_CATALOG', ''/storname/');

define('DIR_WS_HTTPS_CATALOG', ''/storname/');

 

Where storename is the dir name that I have my oscommerce files...

 

Roman

[baronmunchowsen]

Baron...

 

Yes...

 

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

 

I have my setting as such....

 

define('HTTP_COOKIE_PATH', '/storname/');

define('HTTPS_COOKIE_PATH', ''/storname/');

define('DIR_WS_HTTP_CATALOG', ''/storname/');

define('DIR_WS_HTTPS_CATALOG', ''/storname/');

 

Where storename is the dir name that I have my oscommerce files...

 

Roman

 

To clarify: if my store is www.mystore.com/catalog

 

the values should be:

 

define('HTTP_COOKIE_PATH', '/catalog/');
define('HTTPS_COOKIE_PATH', '/catalog/');
define('DIR_WS_HTTP_CATALOG', '/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

in the configure file

 

and the cache settings in the admin should stay the same as they are

 

?

 

Thanks

[dittones]

Baron...

Yes...

I have renamed catalog to my store name...cleaner...Good for SE.

Roman

[baronmunchowsen]

Baron...

Yes...

I have renamed catalog to my store name...cleaner...Good for SE.

Roman

 

catalog/includes/configure.php changed to:

  define('HTTP_COOKIE_DOMAIN', '/catalog/');
 define('HTTPS_COOKIE_DOMAIN', '/catalog/');
 define('HTTP_COOKIE_PATH', '/catalog/');
 define('HTTPS_COOKIE_PATH', '/catalog/');

 

osCid still stays there after many many clicks.

 

Any further suggestions for how to remove osCid strings (which will then hopefully remedy the problem of the mismatching customer addresses).

 

Thanks,

[baronmunchowsen]

catalog/includes/configure.php changed to:

  define('HTTP_COOKIE_DOMAIN', '/catalog/');
 define('HTTPS_COOKIE_DOMAIN', '/catalog/');
 define('HTTP_COOKIE_PATH', '/catalog/');
 define('HTTPS_COOKIE_PATH', '/catalog/');

 

osCid still stays there after many many clicks.

 

Any further suggestions for how to remove osCid strings (which will then hopefully remedy the problem of the mismatching customer addresses).

 

Thanks,

 

For anyone else out there, this is how to do it:

 

define('HTTP_COOKIE_DOMAIN', 'www.mysite.com');

define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

 

NOw time will tell if the jumbled-orders problem will raise it's ugly head.

[♥Monika in Germany]

Marla, I suggest the following setting for a shared server:

 

define('HTTP_COOKIE_DOMAIN', '.frameknitting.com');

define('HTTPS_COOKIE_DOMAIN', '.frameknitting.com');

[boxtel]

catalog/includes/configure.php changed to:

  define('HTTP_COOKIE_DOMAIN', '/catalog/');
 define('HTTPS_COOKIE_DOMAIN', '/catalog/');
 define('HTTP_COOKIE_PATH', '/catalog/');
 define('HTTPS_COOKIE_PATH', '/catalog/');

 

osCid still stays there after many many clicks.

 

Any further suggestions for how to remove osCid strings (which will then hopefully remedy the problem of the mismatching customer addresses).

 

Thanks,

 

whether the session id is stored in a cookie or attached to the url is of no consequence.

[boxtel]

whether the session id is stored in a cookie or attached to the url is of no consequence.

 

to explain:

 

if you go to a site with : www.domain.com/?osCsid=rod3d123saoupn0oejktubiig3

 

then even if that session no longer exists on your system, files or database, that session id is created and used by osc. Basically, you get the session id you ask for.

 

So if you have a link like that circulating in emails or websites or se indexes, the first who clicks it will re-create that session and the next will share it.

 

But whether that session id is subsequently stored in a cookie and dissapears from the url or if it remains attached because cookies are not set is of little consolation as it only pertains to where it is stored and not what it contains.

 

The only way to prevent this from happening is, if a session id is attached to the url, check if that session is active on your system. This by either checking if the session file exists (file based sessions) or if an entry in the session table exists (mysql based sessions) for that id.

If it does, proceed, if it does not, disregard the attached session id and force a new one.

[msrichard]

Marla, I suggest the following setting for a shared server:

 

define('HTTP_COOKIE_DOMAIN', '.frameknitting.com');

define('HTTPS_COOKIE_DOMAIN', '.frameknitting.com');

 

 

Monika,

 

I tried your suggestion. It did get rid of the session id, except when checking out. However, it created 2 problems.

 

1) Whatever I had in the cart was lost when signing in for checkout.

2) If the customer switched back to a nonsecure area after signing in they lost what was in their cart and would have to sign in again to check out.

 

Any other suggestions?

 

Thanks,

Marla

[♥Monika in Germany]

Monika,

 

I tried your suggestion. It did get rid of the session id, except when checking out. However, it created 2 problems.

 

1) Whatever I had in the cart was lost when signing in for checkout.

2) If the customer switched back to a nonsecure area after signing in they lost what was in their cart and would have to sign in again to check out.

 

Any other suggestions?

 

Thanks,

Marla

hmmmmm ... I use this in all my shops. Can you post your session settings from admin->configuration?

[msrichard]

hmmmmm ... I use this in all my shops. Can you post your session settings from admin->configuration?

Monika,

 

Here are my

SESSION SETTINGS

 

session directory /tmp

force cookie use false

check ssl session id false

check user agent false

check IP address false

prevent spider sessions true

recreate session false

 

Marla

[msrichard]

hmmmmm ... I use this in all my shops. Can you post your session settings from admin->configuration?

 

Monika,

 

Also here are my cache settings:

 

Use Cache false

Cache Directory /tmp/

 

Marla

[♥Monika in Germany]

Monika,

 

Also here are my cache settings:

 

Use Cache false

Cache Directory /tmp/

 

Marla

both of those look fine. looked at your store though, the info you gave me for the configure.php is obviously incorrect - for SSL. I cannot help that way. Shared SSL for hostexcellence needs completely different treatment.

[optic]

you would think this would be resolved quickly by the OSC team. where is this patch that I am reading about? many of my customers expressed concerned that their personal information was accessible by other customers, whether intentional or an error with OSC is besides the point. They don't want to hear our excuse on the problem, they want to know that their personal information is secure and only the store owner can access. Not by someone who posted up a some link which happened to include the session ID. That is a serious breach of security, and one that should have been corrected immediately.

 

- O

[exbabylon]

Still having this problem!! Do we have any idea what's going on here?

[exbabylon]

I've been doing some further research and have example orders which are getting mixed up if an expert could make use of them to get things fixed. I cannot post them on the open board due to privacy issues.

 

Even if I can pay someone to resolve this issue, I am willing to do so. So please, if anyone has had this problem, got it resolved, or know someone do did/does/or might be able to get it resolved please send them my way.

 

My cell number is: 509.671.0439 the office number is: 509.447.0440 my email address is [email protected].

 

Thank you,

 

Alex Stanton

Project Director

Exbabylon IT Solutions

[Guest]

One thing I've seen, that doesn't appear to have been mentioned here, is that I've had occasional (perphaps session related) address book entries from user2 overwrite the address book database record for user1. In other words, if you find user1's customer_id, then look up the address_book entry entry for that same customer_id. You might find it's the wrong person. I've manually fixed them in the database a few times - - haven't tracked down the root cause of that particular problem.

 

-jared

[exbabylon]

We're getting an increase in merged order as the days go on, and I'm desperate to figure this out. I have exhausted my resources and ability in this matter, and need help. Please, if anyone knows what's going on with this and is willing to fix it, I AM WILLING TO PAY WELL.

 

Thank you,

 

Alex Stanton

[solutionbuilt]

Frustratingly I have begun my own personal search to resolve this issue. However, my attempts have been unsuccessful until now.

 

osC uses the classes->sessions.php to manage all sessions. Based on what was mentioned before, I thought it would be great if the sessions.php file would check to see if the user was being sent by an external site and therefore create a unique session for them. Soon I began scouring through sessions.php and discovered that the file already has this function built into it!

 

However, this check is based on the referer_check variable. Which, on line 21, I discover is set to false!! There's no admin switch for this and it comes disabled by default.

 

:blink: :angry:

 

Change this:

[21]	var $referer_check = false;

 

To this:

[21]	var $referer_check = true;

 

Needless to mention, this is very agitating. Especially since one of my clients is now experiencing this issue. I'm presuming an external link is now widely available and is now causing problems with the checkout process.

 

Refer to the following found in session.php:

[393]// Check whether the current request was referred to by
[394]// an external site which invalidates the previously found ID
[395]	if ( (!empty($session->id)) && ($session->referer_check) ) {
[396]	  $url = parse_url($GLOBALS['HTTP_REFERER']);
[397]	  if (trim($url['host']) != $GLOBALS['SERVER_NAME']) {
[398]		unset($session->id);
[399]		$send_cookie = true;
[400]		$define_sid = true;
[401]	  }
[402]	}
[403]
[404]// Do we have an existing session ID?
[405]	if (empty($session->id)) {
[406]// Create new session ID
[407]	  $session->id = _session_create_id();
[408]	}

 

As you can notice, line 395 - 402 will not occur if the $session->referer_check is set to false.

 

*sigh*

:blink:

[MSP]

interesting find. i'll make these changes and report back in the future. thanks Jesse