Thousands of items in customer's shopping cart

[marleyman]

Hi, We are very baffled about this issue that our customers keep emailing us about:

Customers that haven't logged into their online account for a while, log in and there are thousands of items in their shopping cart!

We cannot figure out how this keeps happening. Can anyone help shed some light on this strange behavior?

We're running osCommerce Online Merchant v2.3.4

Thank you!

[BrockleyJohn]

That could be a problem with session hijacking, where sessions aren't really working properly and you get multiple people (and in this case probably spiders too) sharing the same session id.

Make sure sessions are set to mysql, spider sessions false, and if your database has been brought forward from a previous version check that the session id field is long enough (128 chars)

Also check that when you navigate around the site there isn't a session id showing at the end of the url

[marleyman]

4 minutes ago, BrockleyJohn said:

That could be a problem with session hijacking, where sessions aren't really working properly and you get multiple people (and in this case probably spiders too) sharing the same session id.

Make sure sessions are set to mysql, spider sessions false, and if your database has been brought forward from a previous version check that the session id field is long enough (128 chars)

Also check that when you navigate around the site there isn't a session id showing at the end of the url 

Thank you for your reply Brockley John! These are our sessions settings. Can you tell me how I would set our sessions to "mysql"?

Session Directory     /home/greenmo/public_html/testshop/includes/work/     
Force Cookie Use     False
Check SSL Session ID     False
Check User Agent     False
Check IP Address     False
Prevent Spider Sessions     True
Recreate Session     True

[BrockleyJohn]

it's in includes/configure.php

  define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'

 

[Jack_mcs]

2 hours ago, marleyman said:

 /home/greenmo/public_html/testshop/includes/work/

I'm not sure that switching to file based sessions, which is what John, suggested will help but, if you do, are you sure the above is correct?

[marleyman]

3 minutes ago, Jack_mcs said:

I'm not sure that switching to file based sessions, which is what John, suggested will help but, if you do, are you sure the above is correct?

I just created a new directory and changed that setting to: /home/greenmo/public_html/sessions

But all of the settings that he told me to check were already set the way he told me to set them, so this is still a mystery to us. We cannot figure out why some customers log into their account on our site and they have thousands of items in their cart? It makes no sense.

[Jack_mcs]

35 minutes ago, marleyman said:

/home/greenmo/public_html/sessions

I suggest changing the above to

/home/greenmo/public_html/includes/sessions/

That won't fix the problem you are having but is more secure.

For the problem,  I misunderstood John's last post. He wasn't saying to switch to disk, just showing where it was.  The first thing I would try is to clear the sessions table. I've never seen this happen before but that is a likely cause of the problem/

Also, it could be that you site has hacker code in it. If you create a new account, log out and log back in, is your cart populated? Are the items in the customers carts the same for all customers (install the Master Password addon to check this)? Are the items to products on your site or do they link elsewhere?

[marleyman]

9 minutes ago, Jack_mcs said:

I suggest changing the above to

/home/greenmo/public_html/includes/sessions/

That won't fix the problem you are having but is more secure.

For the problem,  I misunderstood John's last post. He wasn't saying to switch to disk, just showing where it was.  The first thing I would try is to clear the sessions table. I've never seen this happen before but that is a likely cause of the problem/

Also, it could be that you site has hacker code in it. If you create a new account, log out and log back in, is your cart populated? Are the items in the customers carts the same for all customers (install the Master Password addon to check this)? Are the items to products on your site or do they link elsewhere?

I moved the sessions directory as you suggested - thanks for that.

I just want to make sure before I do this - I'm inside the database in the Table: sessions, and I can see the attached screen shot. Are you saying I should delete these?

If you create a new account, log out and log back in, is your cart populated? No

Are the items in the customers carts the same for all customers? No I don't believe so but I can't be positive about this.

Are the items to products on your site or do they link elsewhere? They're on our website

[Jack_mcs]

38 minutes ago, marleyman said:

I just want to make sure before I do this - I'm inside the database in the Table: sessions, and I can see the attached screen shot. Are you saying I should delete these?

Yes, but that is the more difficult way since there may be many pages.  On the page where all of the tables are listed, click on the Empty link for that table to clear it all at once (see attached).