Results 1 to 9 of 9
  1. #1
    Join Date
    May 2005
    Posts
    19
    Plugin Contributions
    0

    red flag Customers are able to see other costomer's order details

    Hi,

    I've been getting reports from customers that they are able to see other user's order details. Here is an email I got today:

    The last week I have tried to log into my account to order the video.
    The first time I could not remember my password so I requestd a new
    password. When i logged in I was in an accout for a man that lives in
    EnglanD. I just tried to log in again and I ended up in someone else's
    account. I am not sure what is happening, but this is allowing access to
    personal information I have no right to and makes me wonder if my personal
    information is safe. Please let me know if you can fix this problem, because
    as of now I do not fell safe ordering and new material.
    Any idea what this could be and how I can fix it?

    Thanks!

  2. #2
    Join Date
    Nov 2004
    Location
    Norfolk, United Kingdom
    Posts
    3,036
    Plugin Contributions
    2

    Default Re: Customers are able to see other costomer's order details

    At some point in time you had "Prevent Spider Sessions" set to false in Zen Cart admin. This allowed search engines to spider your website and create search engine links with session ids in them.

    People click on those links and come to your website with the same session id, and end up in other people's accounts. Any orders they make can also end up in other people's accounts and not their own.

    Once this has happened it is not easy to get rid of, but you must take the following measures.

    1. Install a Full SSL Certificate and set "Force Cookie Use" to true. This will stop all search engines from creating session ids.

    2. Set "Recreate Session" to true in Zen Cart admin --> Configuration --> Sessions, and this will change the session id when people switch from http to https.

    3. You may have to delete some accounts set up using the same sesson id and ask the customers to re-register. You'll know which accounts they are by the complaints you receive.

    Vger

  3. #3
    Join Date
    May 2005
    Posts
    19
    Plugin Contributions
    0

    Default Re: Customers are able to see other costomer's order details

    I tried the above, and whenever I set "Force cookie use" to true customers have problems checking out. Basically their carts are being lost and they getting error messages...

  4. #4
    Join Date
    Nov 2004
    Location
    Norfolk, United Kingdom
    Posts
    3,036
    Plugin Contributions
    2

    Default Re: Customers are able to see other costomer's order details

    Install a Full SSL Certificate and set "Force Cookie Use" to true
    You cannot use force Cookie Use with Shared SSL.

    Vger

  5. #5
    Join Date
    May 2005
    Posts
    19
    Plugin Contributions
    0

    Default Re: Customers are able to see other costomer's order details

    I have an SSL cert installed at secure.mydomain.com - do I also need to install one for www.mydomain.com?

  6. #6
    Join Date
    Mar 2008
    Location
    Cape Town & London (depends on the season)
    Posts
    2,975
    Plugin Contributions
    0

    Default Re: Customers are able to see other costomer's order details

    Quote Originally Posted by erikcw View Post
    I have an SSL cert installed at secure.mydomain.com - do I also need to install one for www.mydomain.com?
    Looks like shared SSL.

    You need dedicated SSL. Just buy a cert from any range of providers. These providers will also guide you on the procedure, such as getting your host to do a CSR (Certificate Signing Request), etc. You will also need dedicated IP.

    Shared SSL is really a bad idea for people serious about online business. Get dedicated SSL.

  7. #7
    Join Date
    May 2005
    Posts
    19
    Plugin Contributions
    0

    Default Re: Customers are able to see other costomer's order details

    Quote Originally Posted by fairestcape View Post
    Looks like shared SSL.

    You need dedicated SSL. Just buy a cert from any range of providers. These providers will also guide you on the procedure, such as getting your host to do a CSR (Certificate Signing Request), etc. You will also need dedicated IP.

    Shared SSL is really a bad idea for people serious about online business. Get dedicated SSL.
    Sorry, should have been more clear. I have a dedicated SSL, it's just on the subdomain secure.mydomain.com instead of www. Should I get another for www or just for mydomain.com or do I need a wildcard cert?

  8. #8
    Join Date
    Nov 2004
    Location
    Norfolk, United Kingdom
    Posts
    3,036
    Plugin Contributions
    2

    Default Re: Customers are able to see other costomer's order details

    A wildcart cert is the same as Shared SSL, so that's no use to you.

    The http and https pages need to be on the same domain for Full SSL and Force Cookie Use to work.

    So if your site is on www.yourdomain.com then that's what the Full SSL Cert needs to be made out to, and that's where all of the files need to be.

    Vger

  9. #9
    Join Date
    Mar 2008
    Location
    Cape Town & London (depends on the season)
    Posts
    2,975
    Plugin Contributions
    0

    Default Re: Customers are able to see other costomer's order details

    Remember too that you will need an entirely NEW cert for WWW. So the whole process of CSR's etc must be done again.

 

 

Similar Threads

  1. Replies: 0
    Last Post: 5 Nov 2009, 03:32 PM
  2. Help! Customers are able to checkout w/o registering
    By myinstyl in forum Managing Customers and Orders
    Replies: 2
    Last Post: 30 May 2008, 02:38 PM
  3. Replies: 3
    Last Post: 23 May 2008, 04:51 PM
  4. Customers are able to order out of stock items
    By ctcentralinfo in forum General Questions
    Replies: 1
    Last Post: 30 May 2007, 02:52 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR