Note that even if it is/was an expired session, if two or more people access the site with the link having the zenID in it, then they will share the "new" session.
There has been an additional check added in ZC 1.5.7 towards the end of checkout to inspect the validity of the cart for which the order is being processed against the cart currently in the session. I would think that adding that additional code may have also helped mitigate this occurrence as based on the information provided it seems that the cart contents would have been different and that would have resulted in returning to the shipping page to correct/address the issue. The code addition can be found here:
https://github.com/zencart/zencart/b...ess.php#L63-73 containing the following code:
Code:
// avoid hack attempts during the checkout procedure by checking the internal cartID
if (isset($_SESSION['cart']->cartID) && $_SESSION['cartID']) {
if ($_SESSION['cart']->cartID != $_SESSION['cartID']) {
$payment_modules->clear_payment();
$order_total_modules->clear_posts();
unset($_SESSION['payment']);
unset($_SESSION['shipping']);
zen_redirect(zen_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL'));
}
}
(please note that if there are # symbols in the code, I apologize but sometimes when I copy and paste from github, such additional symbols are added. They are only visible after posting and usually with the time constraints between making the post and saving an edit, there is not enough time to correct it.
Bookmarks