So I mentioned before about the issue of products made in a purchase and the checkout process is completed, they reappear in the cart again on another visit. Items were not removed from the cart after the sales was completed.

We had thought it was related to Google Chrome, but I think it's worse than that. If I complete a sale at my house, and then go to my cottage 2hrs away 3 days later, when I open the cart on the computer at the cottage, those previously purchased items appear in the cart. Different computer and different city.

So now I am finding that my customer can place an order from their home 3 hrs away, and I get home from work 3 hrs after he places an order, and when I go onto the website, and I select "My Account" at the top of the page and click on "Account Info", I am on his account without having to log in.

So I have to assume anyone going on the website after someone makes a purchase, will for some reason be logged into that persons account. It wouldn't be hard to change someone elses password and email and steal the account.
Friday, June 09 2017, 01:07 AM
Share this post:
Responses (16)
  • Accepted Answer

    Friday, June 09 2017, 03:23 AM - #Permalink
    Wow, that is not good for privacy sake. Have you done further exploration texts on your site to try to fix that? Do you think something on the site HTTP Cache-Control might be related? ... the part about someone unrelated being able to click enter someone else's account ...duno! thanks for the heads up. Worth looking into for sure.

    ok, just did this:

    Mystery shopper [1] clicks my account, login, success. via chrome
    Mystery shopper [2] clicks my account, login, success. NO access to Shopper {1} account. via hand held

    so far its ok. any new findings please past it here, thanks agrain.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 09 2017, 03:37 AM - #Permalink
    I don't know enough about it to figure it out on my own.
    So I just report the issues I find and try to explain them best I can in hopes others understand.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 09 2017, 04:56 AM - #Permalink
    thanks.
    when you say // " when I go onto the website, and I select My Account" at the top of the page and click on "Account Info", I am on his account without having to log in.

    but you were logged in to your account yes? were you also logged in as the adminGuy account?

    thanks again
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 09 2017, 05:12 AM - #Permalink
    My customer made a purchased this afternoon.
    When I got home from work, I went on the website front end and it immediately showed me that there were items in the cart.
    His items from his purchase.
    So when I went to My Account>Account Info, it showed me all his account info.
    I was in his account logged in as him.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, June 10 2017, 12:59 PM - #Permalink
    It's because the cart isn't cleared, and you log in to the same account Breck - don't make that specific issue bigger than that ...

    If you're logged into someone elses account automatically, you surely have some serious issues in your setup though - most likely related to caching on your server. It's not normal.

    Where are you hosting your sites, which caching solutions do they use, or what have you added.

    And also add all your other system info please.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, June 10 2017, 01:53 PM - #Permalink
    I have tried to recreate this on different computers and connections on a fresh Arastta 1.6.1, it seems impossible.

    Thus you also need to give us the exact steps we need to go through to be able to recreate this, including your cache settings.

    I find your postings somewhat messy and confusing, and you also didn't respond to the direct questions from Sted. Please take a second look at those, and take them into account in the recreation steps.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, June 10 2017, 09:52 PM - #Permalink
    maybe change the post title from " Stealing ". To [ unexplained view ] for now not to seriously alarm folks of premature Security Issue with arastta. Until we get this resolved one way or another.

    I try it again with various logins etc. and from here on chrome and ie browsers it's all good.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 29 2017, 02:04 AM - #Permalink
    So this still continues to happen so here is what I did:

    - I opened Google Chrome and went to my website.
    - I see the there is currently an item in the cart.
    - This item was purchased by a customer earlier in the day in a completed sale that was paid for.
    - When I go to the top menus and select My Account>Account Info, it shows me as logged in as my customer and shows me all their details.

    So I have to assume that if I can do it, others can also do it.

    Currently I only had the following extensions installed and enabled.
    - Rune's Fedex fix
    - Live Price Update

    I disabled both and still happened, but with Chrome, I know it takes a day for the cache crap to clear, so it could be an issue with one of the extensions.

    Those are the exact steps I did and the outcome I am seeing.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 30 2017, 08:56 PM - #Permalink
    Rune Rasmussen wrote:

    If you're logged into someone elses account automatically, you surely have some serious issues in your setup though - most likely related to caching on your server. It's not normal.

    Where are you hosting your sites, which caching solutions do they use, or what have you added.

    And also add all your other system info please.


    Rune Rasmussen wrote:

    I have tried to recreate this on different computers and connections on a fresh Arastta 1.6.1, it seems impossible.

    Thus you also need to give us the exact steps we need to go through to be able to recreate this, including your cache settings.

    I find your postings somewhat messy and confusing, and you also didn't respond to the direct questions from Sted. Please take a second look at those, and take them into account in the recreation steps.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 30 2017, 09:15 PM - #Permalink
    Using Hostgator.
    As for the other info, I have to get back to you on Tuesday as I am at the cottage and this computer is too slow to find all the info.

    I am going to upload all the files once again so all the files are refreshed from the latest download and see how things act then.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, July 03 2017, 08:37 PM - #Permalink
    So I am still at the cottage, but I was able to figure out how it happens on my end.

    So if you go into the admin area and look at the dashboard, bottom right corner where your latest orders appear,
    click on the View button to view the order. Then select Edit button to edit the order.

    Now if you go to the frontend, the cart still appears empty.

    Go back to the admin page and click on Continue and you will now see the products page of the order you are viewing.

    Now go to the frontend of the cart and click on the banner to refresh the page, and all of the sudden the products appear in the cart and your logged in as the customer.

    So it apparently logs you in on the frontend in the customers account when viewing the products page of an order you are editing.

    I can't confirm if me editing someone's order logs all the customers into that account, or if it's only happens to me.
    But I can confirm that I can edit an order at home and go to the cottage almost 2 hrs away and I am logged into the customers account on a different computer.

    I have tested this on both Chrome and Firefox browsers and it happens with both.

    Hope this helps you recreate the issue.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 04 2017, 12:11 PM - #Permalink
    Guys, this happens only while you as admin are editing an order as it creates a session as customer and destroys it when you save the order. So there is nothing to worry about.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 04 2017, 12:18 PM - #Permalink
    Great to see you in here Denis. :)

    But I now wonder, is it also destroyed on session timeout / logout?

    Anyhow, maybe it would be useful to add those «strange» features to docs / FAQ? Breck obviously does things in his way, ways that I wouldn't even dream of testing, and thus hardly can understand. Guess there will be more ...
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 04 2017, 02:45 PM - #Permalink
    This is only one way it happens.

    I had an issue this weekend where I edited an order on the computer and saved it and the computer was then shut off.
    While with a customer, I was entering there order into my phone (using a Cash Sales account), and it showed all the items I entered at checkout which looked fine, but once you login to an existing account (being called Cash Sales), and continue through to complete the order, all the items from the edited order are also in the cart at the final steps.

    So it's not specific to one computer as it also happens on the mobile device. I can't say I have been logged in to a customer account on the mobile device.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 04 2017, 02:47 PM - #Permalink
    Here's some of the server details:

    cPanel Version 64.0 (build 29)
    Apache Version 2.4.23
    PHP Version 5.6.26
    MySQL Version 5.5.55-cll
    Architecture x86_64
    Operating System linux
    Perl Version 5.10.1
    Kernel Version 2.6.32-042stab123.1

    I'll have to contact support to figure out what caching they use.
    I wouldn't know for sure where to find that info.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 03 2018, 03:03 PM - #Permalink
    Denis Duliçi wrote:

    Guys, this happens only while you as admin are editing an order as it creates a session as customer and destroys it when you save the order. So there is nothing to worry about.


    Denis, please take a look at this messy GH issue/fix: https://github.com/opencart/opencart/issues/4246
    The reply is currently minimized Show
Your Reply