Re: COWOA Updated and Combined for ZC v1.5.x
It depends on your idea of security risk or user convenience.
My two pennies..
Yes, COWOA always had that issue so does other sites that use email address as the user ID. I don't think I've actually had a shopping site do a opt-in opt-out check on account creation or checkout like non-shopping sites do.. wouldn't be hard to code in, but its another announce to the shopper!
What I mean by opt-in opt-out, during the account sign up or creation you enter an email address, an email is sent with a standard is this you message, if so type in this number or click this link to finish or activate your account! I don't think you would get a customer to finish checking out if that happens... This is the only way I know of to prevent email address ID abuse for any site.... not just COWOA!
COWOA assumes that the email address is one of a kind which it is unless you gave it up and someone decide to reuse it for themselves, then comes to your shop and creates an account.. If your storing more then shipping addresses, order details.. like CC numbers!! then yes I can see this as more then a COWOA security issue. I've also thought about what if someone decides to use someone email address and creates an standard account or cowoa checkout... buys and ships to there address! As a business owner I'm assuming you are managing the billing/payment side with fraud protection.. I am!
Accessing a COWOA account by using the login side of ZC should be very hard.. COWOA accounts are protected with a password, for me, its a large hash, random character set, then salted... making a very hard password. I think ZC155 does this now which means I'll be switching that could out and using ZC call.
I agree that the order status code can use better sanitizing and protection... will work on that.
If you don't want your customers to see past orders, wouldn't be hard to code in a switch for that, but if you don't want them to find out the order status, then you can turn off or un-code that for your site if you wish to leave customers in the dark.. I don't hide the order status page and it's available to both cowoa and standard customers... I don't see a need or reason for someone to turn that feature off, but you can by not adding the page and link to your site.
Dave
Always forward thinking... Lost my mind!
Bookmarks