Magento Forum

   
Page 1 of 3
Customers Login and see someone else’s account info
 
KyleDugger
Member
 
Total Posts:  32
Joined:  2008-03-30
 

We have just been experiencing issues where multiple customers have reported security issues when trying to log in and checkout. 

Customers report that after entering their own usename and password, they are granted access to the account dashboard, but then see someone else’s name and data.  Somehow it appears as if the software mixes up login sessions.  We have had multiple reports today. 

We are running Magento CE 1.4.2.0.  However we recently (a month or so ago) upgraded from 1.3.2.4 because we were experiencing the same issue.

More info:

This has behavior tends to happen after heavy bursts of site traffic.  Sometimes when we post a sale (depends on the sale), we will get a spike in traffic which consumes most if not all of the servers resources.  This is when we typically start getting reports that the store is mixing up customer login access.  The reports seem to roll in after the spike in traffic starts to roll off.  It is a hunch that the issue is related to the server load as a trigger before the Magento software starts the login collisions.

For reference.  We have got around 15,000 visitors with in a two hour time line.  In the control panel, the real-time server bandwidth graph pegs at 1.2MBytes per second for the first 15 minutes. It happened on several occasions using 1.3.2.4.  This motivated us to upgrade hoping to resolve this issue.  This is the first time we have seen the behavior since we have been using 1.4.2.0 for the last three weeks. 

So Summary:
-Server resources Peg for 15 minutes
-Customer logs in
-Customer see another’s data after logging in.
-This occurs with Magento CE 1.3.2.4 and 1.4.2.0
-Using MemCached on the server in both instances

We have disabled our site and are researching this issue and hoping for some sort of a resolution soon. 

Thanks,

Kyle

 
Magento Community Magento Community
Magento Community
Magento Community
 
KyleDugger
Member
 
Total Posts:  32
Joined:  2008-03-30
 

Adding some details that customers sent to us:

Here are a few screenshots of my attempts to use your site this morning.  As you can see, there are seven different names on the “Welcome” bar - none of whom are me.  These are only a few of the ones that I’ve come across (the only ones I have screenshots of).

As for what would happen - I went to your page, and attempted to add some products to my cart.  The site was very slow, which I assumed was just a traffic issue.  When I proceeded to my cart, it would be someone else’s cart entirely with their products (and their name on the welcome bar).  If I hit refresh, a whole new cart/account would come up.  If I hit proceed to checkout, it would show someone else’s shipping information.  I never did go past this point. 

Quote that suggests problem is bigger than an accounts log in issue. 

The problems I am encountering is that when I click on one to add it to my cart, it will take a while (green bar at the bottom showing that it is loading) and then when it does load, it will show other items in my cart that I didn’t put there. (I.e. I wanted to order an <product 1>, but it added <product 2>, and another) then when I tried to remove the ones that I didn’t want, it will remove all of them. The extras that it adds to the cart are different each time. Sometimes its just one extra, one time it had added up to 6 <products> (even changing the quantity). I have been exttra careful to make sure that it wasn’t just because I was impatient and clicking twice or something.
Hope that helps to solve your site problems! I haven’t logged in though, so I’m not sure about logging in issues.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Amasty
Mentor
 
Avatar
Total Posts:  3769
Joined:  2009-11-10
 

Can you clear the session storage at the server? If you pun script

<?php

phpinfo
();

?>

You will see the path where PHP writes the session data.

 
Magento Community Magento Community
Magento Community
Magento Community
 
KyleDugger
Member
 
Total Posts:  32
Joined:  2008-03-30
 

Session information was stored in /var/session/ in files

We are currently working on transitioning sessions data to database storage.  I’ll post the results here.

Thanks,

Kyle

 
Magento Community Magento Community
Magento Community
Magento Community
 
brendanb
Mentor
 
Total Posts:  1077
Joined:  2008-07-16
London, United Kingdom
 

Hi,

Any update on this. I have had a customer contact us about a similar issue. When looking at the two accounts in question they in no way seem to be linked. So my first thought is session issues.

brendan

 
Magento Community Magento Community
Magento Community
Magento Community
 
ben_marks
Moderator
 
Avatar
Total Posts:  449
Joined:  2008-10-09
Charleston, SC
 
KyleDugger - 05 April 2011 09:59 AM

We are currently working on transitioning sessions data to database storage

NOT recommended.

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

Hello,

Running sessions out of the database can be slower since it must pass through MySQL first. Accessing the disk directly should be faster.

At any rate, try enabling some of the session validation options in System > Configuration > Web > Session Validation Settings

I’d recommend:

Validate REMOTE_ADDR
Validate HTTP_USER_AGENT

 
Magento Community Magento Community
Magento Community
Magento Community
 
ltlfoote
Jr. Member
 
Total Posts:  7
Joined:  2009-09-28
 

Did you ever find a solution for this problem? We are having the same issue in CE 1.5.

Any ideas are much appreciated !

 
Magento Community Magento Community
Magento Community
Magento Community
 
brendanb
Mentor
 
Total Posts:  1077
Joined:  2008-07-16
London, United Kingdom
 

really.?..

I havent seen this repeated. But i still wories me.

Do you have any details on what brower, anything about the customer that is out of the ordinary

brendan

 
Magento Community Magento Community
Magento Community
Magento Community
 
ltlfoote
Jr. Member
 
Total Posts:  7
Joined:  2009-09-28
 

We have had reports from customers that while they are shopping, all of a sudden they will see someone else’s cart or lose their cart items all together.

I just experienced this, as I was working on adding a product to the site, I pressed refresh and all of a sudden had someone else’s items in my cart.

Very bad!

I was using Firefox 5.0

 
Magento Community Magento Community
Magento Community
Magento Community
 
brendanb
Mentor
 
Total Posts:  1077
Joined:  2008-07-16
London, United Kingdom
 

How arey your sessions stored?.

Got to be something weird going on there. We had this right at the start of our latest site. But havent heard of it for some time.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ltlfoote
Jr. Member
 
Total Posts:  7
Joined:  2009-09-28
 

Session are stored in files under var>sessions.

Another thing to note: we are using multiple stores and have the SID in the URL because we have multiple domains that all check out to one secure URL. Checkout won’t work if we turn the SID off in the URL.

 
Magento Community Magento Community
Magento Community
Magento Community
 
brendanb
Mentor
 
Total Posts:  1077
Joined:  2008-07-16
London, United Kingdom
 

right,

we have a similar setup
we’re running multi-site setup (4 websites). But each domain has its own ssl cert and checkout.
We dont have sessions ID’s in the url.

This is good to know. I will try and have a play with orders on the other sites and let you know if I see anything weird. Gotta be something with multi-site systems. I havent seen many posts about this issue. As i think most people dont see it happening

brendan

 
Magento Community Magento Community
Magento Community
Magento Community
 
ltlfoote
Jr. Member
 
Total Posts:  7
Joined:  2009-09-28
 

Thanks for your input. I’m going to set up the individual SSLs for each domain, turn of the SIDs and see if that fixes it.

 
Magento Community Magento Community
Magento Community
Magento Community
 
antonyl
Jr. Member
 
Total Posts:  9
Joined:  2010-07-09
 

I\’ve have similar issues as above i.e. new customer to site does NOT login but notices that he is logged in, he then sees someone else\’s details/orders!.

Validate REMOTE_ADDR = Yes
Validate HTTP_USER_AGENT = Yes

Making the above update did appear to fix this, however it broke a payment gateway (Sagepay) - but strangely enough not Paypal. So had to revert to default i.e.

Validate REMOTE_ADDR: No
Validate HTTP_VIA: No
Validate HTTP_X_FORWARDED_FOR: No
Validate HTTP_USER_AGENT: No

Since I am running multiple stores (on the the same domain) then I have to;
Use SID on Frontend: Yes

My best guess is that the SID is cached somewhere on Google or Yahoo and potentially a customer has followed this and picked up someone else\’s session (i.e.www.domain.com?SID=99123d60a14a80cd0c6a19922797a9ca40). Although I cannot replicate this.

Any thoughts on this, it would be greatly appreciated.

Cheers, Antony
Mag CE 1.4.2.

 
Magento Community Magento Community
Magento Community
Magento Community
 
brendanb
Mentor
 
Total Posts:  1077
Joined:  2008-07-16
London, United Kingdom
 

hi,

good information. I dont have an answer. I have not seen this recur again. however im waiting for it to re-appear.

One suggestion would be to add an entry to your robots.txt to make sure google and yahoo dont index the sids

something like

Disallow/*?SID

Brendan

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top
Page 1 of 3