Security Error- Customers can't log back in! -- IntegratedCOWOA addon

[stars62]

Not sure if this has anything to do with the IntegratedCOWOA(1.3.8) Add-On that I installed on my zen cart too. I read and followed the instructions on the readme file for the security_patch_v138. I changed the admin folder successfully and I can get into Admin Panel, but it still suggests the security update. Version info still says v1.3.7

Please help! I have a customer who can't log back in because of the security error.

Thank you!!!

[Vger]

Applying security patches has nothing to do with customers not being able to login successfully - unless patch files were inserted into the wrong place.

Vger

[stars62]

customers aren't able to login before and after the patch update. i thought this was the solution for the security error that they're getting.

[wilt]

The patch is to address security vulnerabilities in the admin code, and as Vger pointed out should have no affect on toy store/catalog.

Looking at your site, the reason you are always getting a Security Error when someone tries to login, is that the Security Token session value is never being set.

Hence in the source for the login page I see,

<input type="hidden" name="securityToken" />

Note, there is no 'value' associated with this.

I have to assume that this has been caused by the COWOA contribution, or some other changes you have made to core code.

I would first look at the contribution thread for COWOA to see if any details are posted there.

I would specifically review any changes made to the login page code, the includes/functions/sessions.php code, and the includes/functions/html_output.php code.

[stars62]

Ok so I found it in the source, this line was manually added as per the instructions in the readme.html file that came with the security patch. What's the value that I need to enter?

"
Open the file in an editor and find the function "zen_draw_form"

The last line of this function is

return $form;
Just before that line add another line as below

$form .= '<input type="hidden" name="securityToken" value="' . $_SESSION['securityToken'] . '" />';
You can then save the file.
"

[wilt]

That line should only be added to
admin/includes/functions/html_output.php

If this is what you have done, then that is not the source of the error.

However it should not be added to the catalog
includes/functions/html_ouput.php

[stars62]

I only altered the admin section, not the includes/functions/html_ouput.php


What could be the security error then?

Your help is very much appreciated!

[wilt]

Hi,

The first place you need to check is your

includes/functions/sessions.php file.

Can you confirm that at around line 109 you have

PHP Code:

    if (!isset($_SESSION['securityToken'])) {
      $_SESSION['securityToken'] = md5(uniqid(rand(), true));
    } 


[stars62]

No I don't have that php code in sessions.php file, I did a search for it. Should I add it?

[stars62]

I think something went wrong when I renamed the admin folders. I also changed the configure.php file. Was there something else that I'm missing?