Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 3 of 3
Customers Login and see someone else’s account info
 
kalenjordan
Sr. Member
 
Avatar
Total Posts:  218
Joined:  2011-10-31
Pasadena, CA
 

Does anyone have exact repro steps for this?  It sounds like for most of you, if not all of you, it occurs consistently under your regular traffic to your production environment.  But if anyone is able to reproduce this consistently in a staging environment - say by logging two customers in in separate browsers and following specific steps, I’d be interested to know.

 
Magento Community Magento Community
Magento Community
Magento Community
 
kalenjordan
Sr. Member
 
Avatar
Total Posts:  218
Joined:  2011-10-31
Pasadena, CA
 

@ShaunE, you mentioned that you turned both REMOTE_ADDR and HTTP_USER_AGENT ON and when you did so it resolved the session collisions but then you had problems with logins.  Have you attempted to just turn on HTTP_USER_AGENT and leave REMOTE_ADDR off?

One of the reasons that REMOTE_ADDR blocks users from logging in is if they are on an ISP that randomly (or sometimes upon going from http to https in a checkout flow) routes them to a different IP address, then this validation will fail and their session will get dropped.

 
Magento Community Magento Community
Magento Community
Magento Community
 
kalenjordan
Sr. Member
 
Avatar
Total Posts:  218
Joined:  2011-10-31
Pasadena, CA
 

My client went with REMOTE_ADDR off and HTTP_USER_AGENT on, worked like a charm.  Hope you guys get this figured out.  She’s a doozy!!

 
Magento Community Magento Community
Magento Community
Magento Community
 
miszymang
Jr. Member
 
Total Posts:  2
Joined:  2013-03-26
 

Hello,

some people reported me the same issue
(customer sometimes sees the frontend as he is logged as another customer)
, and I have all the settings under Session Validation Settings set to YES besides the Use SID on Frontend, that I have selected to NO , the Cookie domain is set, and the session storage is memcache, and still it happens, any idea where to look for some solution for this ?

And is there any official Magento Team response for this? The first post in this thread was like 5 years ago and it still is an issue…

 
Magento Community Magento Community
Magento Community
Magento Community
 
elspood
Magento Team
 
Total Posts:  22
Joined:  2012-05-01
Magento
 
miszymang - 26 March 2013 08:44 AM

And is there any official Magento Team response for this? The first post in this thread was like 5 years ago and it still is an issue…

Our current recommendation is to customize the PHP entropy settings:

http://www.php.net/manual/en/session.configuration.php#ini.session.entropy-file
http://www.php.net/manual/en/session.configuration.php#ini.session.entropy-length

32 bytes of entropy should be more than adequate to minimize the risk of collisions.

If at some point we decide to replace the existing session management scheme, eliminating the possibility of session collision will be part of the requirements.

 
Magento Community Magento Community
Magento Community
Magento Community
 
charles.eddy
Jr. Member
 
Total Posts:  1
Joined:  2010-11-24
 

We ran into the same issue with session collision, and increased the entropy settings as above, which we had thought solved the issue as it hadn’t occurred again for a while.
However this issue re-emerged itself and we were able to diagnose the point it happened and why. Basically we had page that checked if the user was logged in and if not would ask them to provide an email address to join our newsletter. This page was being cached by varnish so if the user didn’t have a session at this point and went to page at the same time as another user (not sure of exactly how wide this window was) it would give both users the same session cookie and cause the collision.

So we solved the issue by adding this page to the list of stuff varnish should pipe. I hope this helps someone else out.

 
Magento Community Magento Community
Magento Community
Magento Community
 
mirec13
Jr. Member
 
Total Posts:  2
Joined:  2014-05-08
 

I had a same issue, problem was solved

 
Magento Community Magento Community
Magento Community
Magento Community
 
Michael Baker
Jr. Member
 
Total Posts:  11
Joined:  2010-08-15
 

We had a similar issue where customers were able to be logged in as other users, seemingly at random. Some of them would be logged in and not know it and get all the way through checkout, place an order - then the confirmation email was sent to the wrong user. Embarrassing.

Our fix did not have to do with php session entropy.

We had migrated the site from a different platform that was hosted and managed by a different company. They had some urls that used a get variable like SID=SOMEPROMOCODE. So since magento uses this to carry session across multi domain sites it was creating a cookie with that frontend session id. Then another user would click a similar link and since they didn’t have a cookie already created for our domain it would create one with SOMEPROMOCODE as the id and voila...they are logged in and/or with stuff from the other user’s activity already in their cart.

My fix was to put a query string rewrite rule in the apache config since we don’t have a multi domain setup. I used this guide: https://wiki.apache.org/httpd/RewriteQueryString

I could’ve set the ‘use session id on frontend’ admin setting to false..but we are on an older version where that setting is not available.

I suggest that Magento put some validation of the SID variable before creating a cookie with it’s value as the frontend id.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 3 of 3