We have had 3 instances (that we know of) in the past month where a user has clicked on the my account link and has been logged in as another user.
To stop this happening we have turned everything on in Session Validation Settings:
Use SID on Frontend
However we are now getting reports of customers not being able to checkout, and being redirected to the home page (assuming this is because they loose their session).
We seem to be in a catch 22 situation with this, not wanting to have the security flaws with turning these settings off and likewise not wanting to stop people being able to checkout.
We are running Magento 22.214.171.124 on PHP 5.2.17.
And help with this would be very much appreciated.