Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

SERIOUS PROBLEM - I JUST MANAGED A SESSION HIJACK BY DOING NOTHING
 
insight
Member
 
Total Posts:  58
Joined:  2008-07-24
 

ok this could be a serious problem but i cant seem to get it to happen again!!

basically i was doing some work on my dev server and was developing the checkout, i went from the the cart page (http) to the checkout (https) then clicked a link in the navigation to a standard cms page (http) and this link had the session id in it causing it to come up with a 404 error not found. Thats pretty anoying as it is but it gets worse.

I then went to the my account page and i was logged in as another user!

This user had been recently set up by someone else so it was impossible for me to have logged on as i have no idea what the password is.

either way i could see all there information in the admin area and was somehow logged on as them.

My immediate reaction was F*@k,

but then i thought i had not cleared the cache for a while and i had never done a rewrite rule refresh so i cleared all the cache options. I cant get this to happen again which is a good thing but i think this needs some looking into big time,

If anyone has any ideas what may have caused this i would be much appreciated.

Thanks all

 
Magento Community Magento Community
Magento Community
Magento Community
 
mike222
Member
 
Total Posts:  41
Joined:  2008-04-07
Austria
 

This is related to http://www.magentocommerce.com/boards/viewthread/10943/

Maybe you can find your answer there.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top