Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Users seeing other peoples details
 
jaldred
Jr. Member
 
Total Posts:  5
Joined:  2010-02-10
 

Hi,

We have had 3 instances (that we know of) in the past month where a user has clicked on the my account link and has been logged in as another user.

To stop this happening we have turned everything on in Session Validation Settings:
Validate REMOTE_ADDR
Validate HTTP_VIA
Validate HTTP_X_FORWARDED_FOR
Validate HTTP_USER_AGENT
Use SID on Frontend

However we are now getting reports of customers not being able to checkout, and being redirected to the home page (assuming this is because they loose their session).

We seem to be in a catch 22 situation with this, not wanting to have the security flaws with turning these settings off and likewise not wanting to stop people being able to checkout.

We are running Magento 1.5.0.1 on PHP 5.2.17.

And help with this would be very much appreciated.

Cheers

James

 
Magento Community Magento Community
Magento Community
Magento Community
 
Extendware
Sr. Member
 
Avatar
Total Posts:  231
Joined:  2011-08-04
 

I would disable using SID on the frontend. This will force the use of cookies which prevents session takeovers.

Also, regarding users not being able to checkout… That is really strange. It must have to do with the session not carrying over between http / https. Also, I have seen servers with incorrect time settings that make it so some browsers will not accept the cookies.

 
Magento Community Magento Community
Magento Community
Magento Community
 
jaldred
Jr. Member
 
Total Posts:  5
Joined:  2010-02-10
 

Hi,

Thanks for this information, however when I turn that option off (and I’ve also tried turning all options off) the customer can not get to the checkout page. It simply loops back to the shopping basket page.

I’m a bit at a loss on what to do with this, at the moment we have turned the login functionality off, and turned the security settings down.

Many thanks

James

 
Magento Community Magento Community
Magento Community
Magento Community
 
armorbear2
Jr. Member
 
Total Posts:  1
Joined:  2012-03-12
 

thanks for sharing this information

 
Magento Community Magento Community
Magento Community
Magento Community
 
Brynnae
Member
 
Avatar
Total Posts:  36
Joined:  2012-04-17
California
 

I think SID will be a better option as cookies will be used.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top