Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Security and privacy
 
Scott Gibson
Jr. Member
 
Total Posts:  3
Joined:  2009-01-14
 

I recently installed and populated a site for a client with 12k existing user base and about 4k products.  Everything seemed ok at first baring an obvious bug with the backend.  Then clients started reporting that they could see other peoples account information without even logging in.  I hired a consultant from Variens recommended list and they were in a word WORTHLESS.  In the end they really just cost me a lot of time.  I eventually thought it must have been a DB corruption when I imported the old customer list from the previous store.  I created a new installation of magento, and once again imported the products and user list.  I hoped the issues was solved but it isn’t.  Is the problem magento can’t handle 12k users, is it a cookie problem or a problem with how it is handling sessions.  I kept the default option to keep session in the file system. 

This is really a huge problem, as it means that the store is in violation of many international privacy laws, not to mention the fact that it is killing sales as it demolishes client confidence in the store.  I am actually considering dumping the existing users and having people create new accounts.  If that doesn’t work I am going to have to build the store again on another cart.  So far my magento experience has been in a word a nightmare.  I thought I had done due diligence when I researched it, obviously the hype overshadowed the warnings.  Ironically the fact that magento handled decimal qtys was the reason we chose it, turns out the backend bug I mentioned is that the backend doesn’t do decimals!  They did say it has been resolved and will be in the new release, I guess time will tell.

If anyone has any ideas what could be causing this please let me know.  I will answer any questions you might have about specifics of the install if needed.  Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
randnew
Jr. Member
 
Total Posts:  3
Joined:  2009-07-23
 

Issue #16302 which is about this problem was closed and they made the following comment

We are convinced that the issue occurs when store owner or anyone else accidentally shares link with a session ID into search engines or marketing emails.

One of the solutions for this is to make system ignore SID in URL. Despite it breaks session sharing between stores/websites that have different domains in base URL, it will be more secure.

Magento 1.4.0 stable will have this feature, which will ignore SID by default.

Does anybody know how to make the system ignore the SID in the URL?

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top