Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Big session ID issue
 
snarkys
Sr. Member
 
Total Posts:  124
Joined:  2008-04-04
 

We had this problem on our last cart and it turned into a really scary problem, it is also happening on our magento cart..  basically we had two issues. 

1)Search engines would post links that included the session ID
2) even worse customers would post what they think are just links to our site that include the session ID in the URL.

Then what happens is two or more people click on these links around the same time and then share the same session ID. Now they are sharing the same cart and adding and subtracting things from each others cart. Even worse what happens is when one of them logs into their account the other person is now logged into that persons account and it shows that persons address and account information. Meanwhile the other person is still adding items to the other persons cart…..

What made this even worse is people were posting these links with session ID’s on local forums and when someone makes a post or bumps it up there are a lot of people clicking on that in a relatively short period of time . What made it particularly bad is Joe would go check out and then see his address field which is then filled with Jill’s address and since it is a local board he knows Jill and is really lost as to why Jill has her account info in what he thinks is his account.

I was able to recreate this same issue on magento using two different PC’s

on our OSC based cart the only way we could get around this was to force cookies so that the session ID never showed up in the URL.  The only way around the links that already existed was to get the site to change your SID once you logged in. This meant you can still be on the same session ID but at least once one of you logs in to check out you wont be. I know zen cart got around this by giving you a new session if it detected that you came in from an outside link that had one or maybe any link.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Incognito
Guru
 
Total Posts:  322
Joined:  2008-08-07
Michigan
 

you can fix the search engine part of the problem with a robots.txt file ex “Disallow: /*?SID”

 
Magento Community Magento Community
Magento Community
Magento Community
 
snarkys
Sr. Member
 
Total Posts:  124
Joined:  2008-04-04
 

that’s good to know.

sadly the forum issue was the bigger of the two problems since this was a much more likely cause of two people clicking at the same time.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

Not sure how to fix this, but it would be nice for magento to look into it.

The best way I can think to fix this is to take a hash of the user’s browser, ip address, etc and store it in the session. If someone tries to start a session that does not match the hash then they are given a new session ID. At one point I think even oscommerce used this measure as an additional security measure. It is not as perfect because of proxies, but it would cut it down 95%.

Even better would be anytime someone uses a session without the correct hash, then that session ID will be disabled for XX months. That would solve it 99.9% of the way and would still allow people to order without cookies.

 
Magento Community Magento Community
Magento Community
Magento Community
 
snarkys
Sr. Member
 
Total Posts:  124
Joined:  2008-04-04
 

IMHO this is a pretty major security flaw. Customers who experience it get really freaked out and post about it all over the forums which of coarse really hurts sales. .

 
Magento Community Magento Community
Magento Community
Magento Community
 
Incognito
Guru
 
Total Posts:  322
Joined:  2008-08-07
Michigan
 

On my installation the only time the SID is in the url is if the link is to another domain.  Could you make it so all the links in the forum take out the every thing after “?SID=” ?  Another thing that you could do is add a link to this page button.  People might use that instead of copying it out of the address bar.  You also may be able to mask or cloak your url.

 
Magento Community Magento Community
Magento Community
Magento Community
 
snarkys
Sr. Member
 
Total Posts:  124
Joined:  2008-04-04
 
Incognito - 25 February 2009 11:12 AM

On my installation the only time the SID is in the url is if the link is to another domain.  Could you make it so all the links in the forum take out the every thing after “?SID=” ?  Another thing that you could do is add a link to this page button.  People might use that instead of copying it out of the address bar.  You also may be able to mask or cloak your url.

On most of the PC’s i try my site on it never shows the SID however on a few PC’s the first click you make on the site displays the SID in the URL of that page. Im guessing this is a cookie or security setting on those PC’s ?

these are public forums where people discuss everything. no way to control whats in the URL .

a link to this page is an idea but not really a solution to a security hole this big. It really needs to be solved permanently.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Incognito
Guru
 
Total Posts:  322
Joined:  2008-08-07
Michigan
 

It is necessary to pass the SID in the url otherwise you would not be able to sync the sessions on two different domains.  If a user goes to the secure part of your site(ex. my account) then back to the unsecure part of you site then the SID will appear in the url.  You may be able to use javascript to redirect to the page minus the sid if the sid is in the url.  Not sure if google will like it but it should work.  It will also make your logs inaccurate but it is better than your customers having problems.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

The SSID has to display in the case where cookies are not enabled. The first request to magento with all cookies deleted will show the SSID on the next link clicked. The reason why is because magento cannot determine if you are accepting cookies or not until the second request.

 
Magento Community Magento Community
Magento Community
Magento Community
 
snarkys
Sr. Member
 
Total Posts:  124
Joined:  2008-04-04
 

I’m pretty sure that zen cart fixed this by simply giving you a new SID if it determined that you came in from a link that had the SID in the URL.

 
Magento Community Magento Community
Magento Community
Magento Community
 
snarkys
Sr. Member
 
Total Posts:  124
Joined:  2008-04-04
 

looks like in my case the difference between the SID showing up or not is if there is a www. in the address.

http://site.com
VS
htpp://www.site.com

This is also repeatable on varien’s hosted demo

http://demo.magentocommerce.com/ works just fine and doesn’t list the SID
but ..

if you do add the www’s http://www.demo.magentocommerce.com/ and then click on any item link on the page the next page will have the sid in it. http://demo.magentocommerce.com/electronics?SID=5a33794aad86aad47bfbc53e83bbc0a4

now you can click that link on several different computers and all be logged into the same session and adding/subtracting/shipping/changing account data on the same SID/cart.

After doing a bit of searching this has been brought up many times, seems like a security flaw this large should have a higher priority. Is there a way to directly tell varien about bugs rather than just posting here ?

I know there are a few tricks around search engine posting the SID links but the only way to stop actual people from posting them is for them not to appear at all or make changes to how the system handles them so multiple people cant be using the same SID ... Again CRE Loaded got around the most severe portion of this by giving a new SID when you log in so others can’t be logged into your acount.

 
Magento Community Magento Community
Magento Community
Magento Community
 
snarkys
Sr. Member
 
Total Posts:  124
Joined:  2008-04-04
 

well since it was repeteable on even the demo store hosted on this forum i reported it as bug, hopefully it is important enough to be assigned to someone .  Certainly seems more important than some of the fixes being worked on.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Ashley
Member
 
Total Posts:  51
Joined:  2008-07-23
 

This bug is driving me crazy…

Whenever I try and do anything in the admin area the SID appends itself in the middle of the URL. To modify a category I have to click on it and then remove the SID rubbish from the URL before it will show up. This was not happening but now is. Our domain has www at the beggining as well so it’s not that. We do use store codes in the URL, could it have something to do with that?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Ashley
Member
 
Total Posts:  51
Joined:  2008-07-23
 

I have finally made some progress on this. I have set the cookie domain in the admin to be

mysite.com
. To fix the admin I have disabled Use Secure URLs in Admin. This has removed the SID from the URL’s in the admin area. We use https for our checkout only and the second you proceed to it the SID appears in the URL again.

So basically switching between http and https causes the SID in the URL.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top