So I mentioned before about the issue of products made in a purchase and the checkout process is completed, they reappear in the cart again on another visit. Items were not removed from the cart after the sales was completed.

We had thought it was related to Google Chrome, but I think it's worse than that. If I complete a sale at my house, and then go to my cottage 2hrs away 3 days later, when I open the cart on the computer at the cottage, those previously purchased items appear in the cart. Different computer and different city.

So now I am finding that my customer can place an order from their home 3 hrs away, and I get home from work 3 hrs after he places an order, and when I go onto the website, and I select "My Account" at the top of the page and click on "Account Info", I am on his account without having to log in.

So I have to assume anyone going on the website after someone makes a purchase, will for some reason be logged into that persons account. It wouldn't be hard to change someone elses password and email and steal the account.
Friday, June 09 2017, 01:07 AM
Share this post:
Responses (7)
  • Accepted Answer

    Friday, June 09 2017, 03:23 AM - #Permalink
    Wow, that is not good for privacy sake. Have you done further exploration texts on your site to try to fix that? Do you think something on the site HTTP Cache-Control might be related? ... the part about someone unrelated being able to click enter someone else's account ...duno! thanks for the heads up. Worth looking into for sure.

    ok, just did this:

    Mystery shopper [1] clicks my account, login, success. via chrome
    Mystery shopper [2] clicks my account, login, success. NO access to Shopper {1} account. via hand held

    so far its ok. any new findings please past it here, thanks agrain.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 09 2017, 03:37 AM - #Permalink
    I don't know enough about it to figure it out on my own.
    So I just report the issues I find and try to explain them best I can in hopes others understand.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 09 2017, 04:56 AM - #Permalink
    thanks.
    when you say // " when I go onto the website, and I select My Account" at the top of the page and click on "Account Info", I am on his account without having to log in.

    but you were logged in to your account yes? were you also logged in as the adminGuy account?

    thanks again
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 09 2017, 05:12 AM - #Permalink
    My customer made a purchased this afternoon.
    When I got home from work, I went on the website front end and it immediately showed me that there were items in the cart.
    His items from his purchase.
    So when I went to My Account>Account Info, it showed me all his account info.
    I was in his account logged in as him.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, June 10 2017, 12:59 PM - #Permalink
    It's because the cart isn't cleared, and you log in to the same account Breck - don't make that specific issue bigger than that ...

    If you're logged into someone elses account automatically, you surely have some serious issues in your setup though - most likely related to caching on your server. It's not normal.

    Where are you hosting your sites, which caching solutions do they use, or what have you added.

    And also add all your other system info please.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, June 10 2017, 01:53 PM - #Permalink
    I have tried to recreate this on different computers and connections on a fresh Arastta 1.6.1, it seems impossible.

    Thus you also need to give us the exact steps we need to go through to be able to recreate this, including your cache settings.

    I find your postings somewhat messy and confusing, and you also didn't respond to the direct questions from Sted. Please take a second look at those, and take them into account in the recreation steps.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, June 10 2017, 09:52 PM - #Permalink
    maybe change the post title from " Stealing ". To [ unexplained view ] for now not to seriously alarm folks of premature Security Issue with arastta. Until we get this resolved one way or another.

    I try it again with various logins etc. and from here on chrome and ie browsers it's all good.
    Like
    1
    The reply is currently minimized Show
Your Reply