Customer Login CROSSED With Another Customers Login

[zapme1]

I'm running Zen Cart v1.3.9h, and PHP Version 5.4.45. My website was installed in 2010, and has been "Heavily Modified" over the years. I do not sell physical products, but instead my products are "Training Class Dates", and my customers purchase a "Seat" in my classes!

I know that I should have updated my site (probably long ago), but it would be a nightmare with all of the modifications. The site works well, however only once in awhile a customer will call to tell me that when they went to login to their account, they found that they were "Already Logged Into Another Customers Account"!!!

I have seen this myself a few times by simply visiting my main page, and refreshing the page! I would then already be logged into a customers account that had just purchased a seat in a class from my site! If I Logout, then all is back to normal, and I can login myself just fine!

Like I said, it does Not always happen, and I can't recreate the issue, but I've seen it about 4-5 times in a year, but hard to know how much it happens to other customers!

Does anyone have any ideas?
Thanks in advance.....!

[mc12345678]

This can happen if two visitors share the same session. In particular if the link(s) used to access the site share the same zenid parameter in the link.

[zapme1]

This can happen if two visitors share the same session. In particular if the link(s) used to access the site share the same zenid parameter in the link.

Thanks for your reply, but not sure I totally understand! How can I fix this? Thanks!

[mc12345678]

Well as far as a way forwards, don't post, email or otherwise distribute a link that includes a zenid in it...

To address those occurrences of the past, if you know what the zenid was, it could be removed from the uri of an incoming uri through either a htaccess rewrite or via php before the session is set.

If the problem is so rampant that no one can do anything, then perhaps changing the session identifier would be the next solution after fixing the software from what would likely be an altered state. (meaning, if this has happened more than likely the software has been modified by someone that shouldn't have had access...)

[dbltoe]

1.3.9h is so very old. ZenID management has made many improvements since. In older versions, it would hang on until it accidentally got passed on as a link to someone or social media.

I know you may have heard/read many horror stories on upgrades. They're really no where near that bad when following the guidelines at How do I rebuild my site on the new version, instead of upgrading? - Blogs - Zen Cart Support.

You'll have a much improved Zen Cart with many needed security updates and, in some cases, you'll find you don't need several of the mods due to inclusion of the old ones into the core.

The beauty of the above method is that it can be done at your own pace without interfering with the operation of your store.

Best of all, you have the folks here at the forum to help along the way.

[zapme1]

1.3.9h is so very old. ZenID management has made many improvements since. In older versions, it would hang on until it accidentally got passed on as a link to someone or social media.

I know you may have heard/read many horror stories on upgrades. They're really no where near that bad when following the guidelines at How do I rebuild my site on the new version, instead of upgrading? - Blogs - Zen Cart Support.

You'll have a much improved Zen Cart with many needed security updates and, in some cases, you'll find you don't need several of the mods due to inclusion of the old ones into the core.

The beauty of the above method is that it can be done at your own pace without interfering with the operation of your store.

Best of all, you have the folks here at the forum to help along the way.

Thanks for your reply mc12345678....

Thanks also dbltoe.... I know you are correct, I really do need to upgrade! I'll read through the article you linked, and if I can do it without taking down my site, that would be wonderful.... I assume file-by-file! I'll give it a read! Thanks!

[dbltoe]

"The only thing we have to fear, is fear itself" somebody said. Just do what is says as far as making sure your server is capable. Your current ZC is really not made to work with your version of PHP and 1.5.6c needs at least PHP 5.5 to run.

This is where you should enlist your host's assistance to make it possible to run both PHP versions while updating. Should be easy for your host.

Create a new database and follow the "How do I do an upgrade and still keep my live store running in the meantime." One thing many folks miss when upgrading from an older version is the database prefix. In the past, installations often defaulted to a prefix of zc_ which made the admin table become zc_admin. This will be important when you merge your older database into the new site. Make sure the prefixes match and one of the bigger hurdles is already cleared.

[zapme1]

"The only thing we have to fear, is fear itself" somebody said. Just do what is says as far as making sure your server is capable. Your current ZC is really not made to work with your version of PHP and 1.5.6c needs at least PHP 5.5 to run.

This is where you should enlist your host's assistance to make it possible to run both PHP versions while updating. Should be easy for your host.

Create a new database and follow the "How do I do an upgrade and still keep my live store running in the meantime." One thing many folks miss when upgrading from an older version is the database prefix. In the past, installations often defaulted to a prefix of zc_ which made the admin table become zc_admin. This will be important when you merge your older database into the new site. Make sure the prefixes match and one of the bigger hurdles is already cleared.

Thank you so much again, dbltoe! That really does help, and the process "seems" pretty straight-forward, so going to give it a try soon! I'll post back here with how it goes....