So I mentioned before about the issue of products made in a purchase and the checkout process is completed, they reappear in the cart again on another visit. Items were not removed from the cart after the sales was completed.
We had thought it was related to Google Chrome, but I think it's worse than that. If I complete a sale at my house, and then go to my cottage 2hrs away 3 days later, when I open the cart on the computer at the cottage, those previously purchased items appear in the cart. Different computer and different city.
So now I am finding that my customer can place an order from their home 3 hrs away, and I get home from work 3 hrs after he places an order, and when I go onto the website, and I select "My Account" at the top of the page and click on "Account Info", I am on his account without having to log in.
So I have to assume anyone going on the website after someone makes a purchase, will for some reason be logged into that persons account. It wouldn't be hard to change someone elses password and email and steal the account.
We had thought it was related to Google Chrome, but I think it's worse than that. If I complete a sale at my house, and then go to my cottage 2hrs away 3 days later, when I open the cart on the computer at the cottage, those previously purchased items appear in the cart. Different computer and different city.
So now I am finding that my customer can place an order from their home 3 hrs away, and I get home from work 3 hrs after he places an order, and when I go onto the website, and I select "My Account" at the top of the page and click on "Account Info", I am on his account without having to log in.
So I have to assume anyone going on the website after someone makes a purchase, will for some reason be logged into that persons account. It wouldn't be hard to change someone elses password and email and steal the account.
In Security
Share this post:
Responses (16)
Accepted Answer
maybe change the post title from " Stealing ". To [ unexplained view ] for now not to seriously alarm folks of premature Security Issue with arastta. Until we get this resolved one way or another.
I try it again with various logins etc. and from here on chrome and ie browsers it's all good. -
Accepted Answer
Wow, that is not good for privacy sake. Have you done further exploration texts on your site to try to fix that? Do you think something on the site HTTP Cache-Control might be related? ... the part about someone unrelated being able to click enter someone else's account ...duno! thanks for the heads up. Worth looking into for sure.
ok, just did this:
Mystery shopper [1] clicks my account, login, success. via chrome
Mystery shopper [2] clicks my account, login, success. NO access to Shopper {1} account. via hand held
so far its ok. any new findings please past it here, thanks agrain. -
Accepted Answer
Accepted Answer
Accepted Answer
My customer made a purchased this afternoon.
When I got home from work, I went on the website front end and it immediately showed me that there were items in the cart.
His items from his purchase.
So when I went to My Account>Account Info, it showed me all his account info.
I was in his account logged in as him. -
Accepted Answer
It's because the cart isn't cleared, and you log in to the same account Breck - don't make that specific issue bigger than that ...
If you're logged into someone elses account automatically, you surely have some serious issues in your setup though - most likely related to caching on your server. It's not normal.
Where are you hosting your sites, which caching solutions do they use, or what have you added.
And also add all your other system info please. -
Accepted Answer
I have tried to recreate this on different computers and connections on a fresh Arastta 1.6.1, it seems impossible.
Thus you also need to give us the exact steps we need to go through to be able to recreate this, including your cache settings.
I find your postings somewhat messy and confusing, and you also didn't respond to the direct questions from Sted. Please take a second look at those, and take them into account in the recreation steps. -
Accepted Answer
So this still continues to happen so here is what I did:
- I opened Google Chrome and went to my website.
- I see the there is currently an item in the cart.
- This item was purchased by a customer earlier in the day in a completed sale that was paid for.
- When I go to the top menus and select My Account>Account Info, it shows me as logged in as my customer and shows me all their details.
So I have to assume that if I can do it, others can also do it.
Currently I only had the following extensions installed and enabled.
- Rune's Fedex fix
- Live Price Update
I disabled both and still happened, but with Chrome, I know it takes a day for the cache crap to clear, so it could be an issue with one of the extensions.
Those are the exact steps I did and the outcome I am seeing. -
Accepted Answer
Rune Rasmussen wrote:
If you're logged into someone elses account automatically, you surely have some serious issues in your setup though - most likely related to caching on your server. It's not normal.
Where are you hosting your sites, which caching solutions do they use, or what have you added.
And also add all your other system info please.
Rune Rasmussen wrote:
I have tried to recreate this on different computers and connections on a fresh Arastta 1.6.1, it seems impossible.
Thus you also need to give us the exact steps we need to go through to be able to recreate this, including your cache settings.
I find your postings somewhat messy and confusing, and you also didn't respond to the direct questions from Sted. Please take a second look at those, and take them into account in the recreation steps. -
Accepted Answer
Accepted Answer
So I am still at the cottage, but I was able to figure out how it happens on my end.
So if you go into the admin area and look at the dashboard, bottom right corner where your latest orders appear,
click on the View button to view the order. Then select Edit button to edit the order.
Now if you go to the frontend, the cart still appears empty.
Go back to the admin page and click on Continue and you will now see the products page of the order you are viewing.
Now go to the frontend of the cart and click on the banner to refresh the page, and all of the sudden the products appear in the cart and your logged in as the customer.
So it apparently logs you in on the frontend in the customers account when viewing the products page of an order you are editing.
I can't confirm if me editing someone's order logs all the customers into that account, or if it's only happens to me.
But I can confirm that I can edit an order at home and go to the cottage almost 2 hrs away and I am logged into the customers account on a different computer.
I have tested this on both Chrome and Firefox browsers and it happens with both.
Hope this helps you recreate the issue. -
Accepted Answer
Accepted Answer
Great to see you in here Denis.
But I now wonder, is it also destroyed on session timeout / logout?
Anyhow, maybe it would be useful to add those «strange» features to docs / FAQ? Breck obviously does things in his way, ways that I wouldn't even dream of testing, and thus hardly can understand. Guess there will be more ... -
Accepted Answer
This is only one way it happens.
I had an issue this weekend where I edited an order on the computer and saved it and the computer was then shut off.
While with a customer, I was entering there order into my phone (using a Cash Sales account), and it showed all the items I entered at checkout which looked fine, but once you login to an existing account (being called Cash Sales), and continue through to complete the order, all the items from the edited order are also in the cart at the final steps.
So it's not specific to one computer as it also happens on the mobile device. I can't say I have been logged in to a customer account on the mobile device. -
Accepted Answer
Here's some of the server details:
cPanel Version 64.0 (build 29)
Apache Version 2.4.23
PHP Version 5.6.26
MySQL Version 5.5.55-cll
Architecture x86_64
Operating System linux
Perl Version 5.10.1
Kernel Version 2.6.32-042stab123.1
I'll have to contact support to figure out what caching they use.
I wouldn't know for sure where to find that info. -
Accepted Answer
Denis Duliçi wrote:
Guys, this happens only while you as admin are editing an order as it creates a session as customer and destroys it when you save the order. So there is nothing to worry about.
Denis, please take a look at this messy GH issue/fix:
Your Reply

Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »