Session confusion: cart contents appearing in store owner's cart

**davej** · 15 Oct 2007, 11:05 PM

Version 1.3.5
The site owner was logged into admin and looking at Who's Online. She noticed a session with her IP address and an active cart containing several items, which she had not put there. On visiting the store she found that these items were displayed in her cart.
I checked the site's apache logs. The only add_product hits that day (20 of them) all came from a single other IP address, in another country. I looked at all hits from this latter IP address and found that most had a zenid in the URL - I presume this occurs when cookies are disabled. A few different zenids occurred, as well as some requests with no zenid. There were many hits from this IP over a total of 8 hours, their pattern suggesting human rather than script activity. However the referrer field was always blank.
I pulled out the products_ids of the add_product hits and the site owner confirmed that these products were all among those in her phantom cart. (There were multiple-adds too, I don't have the ids for these.)

**kobra** · 16 Oct 2007, 02:07 AM

Sometimes a url to your site is posted that contains a session id so tht anyone following that posted url will end up in anothers cart...

Do not post url's with a zenID

**davej** · 16 Oct 2007, 10:03 AM

Thanks for the reply Kobra, however that doesn't seem to be what happened in this case. The initial hits from the relevant IP address did not specify a zenid, they were as follows:
"GET / HTTP/1.0" 200
"GET /privacy/ HTTP/1.0" 200
The zenid appeared only on the 5th hit and is consistent with what happens when a visitor with cookies disabled comes to the site, is assigned a zenid which is inserted into the site's dynamically-generated links, and clicks on one of those links.

I forgot to mention in my initial post that the phantom session that was incorrectly linked to the store owner's IP address was a guest session.

**DrByte** · 16 Oct 2007, 02:13 PM

Can you reproduce this situation on-demand?
Does it happen if the search-engine-friendly-urls mod you're using is disabled?

**davej** · 16 Oct 2007, 03:23 PM

This situation has only occurred once that we're aware of, I don't know how I would replicate it.

I wondered whether it might be a session hijacking or forcing attack. However the requests look like those of a genuine shopper* who has cookies disabled and who is being thwarted in their shopping by periodically losing their zenid and hence their cart. I believe this happens because there are some static links on the site, which fail to insert the zenid and so lead to the visitor being allocated a new one. That is something I can address.

(* Though it's perhaps suspicious that as well as rejecting session cookies, all of their requests have a blank referrer field.)

The /privacy URL that you picked up on uses mod_rewrite. There are other rewrites in place, however all of them require a match on the complete path (i.e. they take the form ^blah$ ) so if a zenid is present in the path, they won't match and won't apply. So I believe our static URLs are implicated in the problem, but not the rewrites.

I can address the static URLs, but what troubles me is the association with the site owner's session. AFAICS the static links would be expected to lead to new zenids being generated, but not the id of an existing session. So I'm back to wondering about session forcing or hijacking.

Do the symptoms fit with any known problems fixed between 1.3.5 and current 1.3.7?

Thanks, Dave

**DrByte** · 16 Oct 2007, 04:25 PM

There are a lot of things "fixed" since v1.3.5, and some of them have to do with how whos_online information is displayed.

If you're concerned about session hijacking, you're right that you need to ensure that sessions are tied to links when needed.
Additionally, if you are frequently getting hijacked sessions, you should turn on Session Recreate in Admin->Config->Sessions. Don't be playing with other settings there or you'll just create yourself a headache.