Customer logged into someone else's account !

**harry2cool** · 15 Mar 2019, 06:01 AM

Zencart v1.5.5f
PHP Version: 7.0.33

One of our customers logged in however he got access to someone else's account.
We are not able to replicate this scenario , we only got 2 complaints so far in the last 3 months.
What are our options to figure out things to rectify ?

**mprough** · 15 Mar 2019, 02:57 PM

Under Configuration >> Sessions, what are your settings?

Don't include the Session Directory, but make certain it's correct

~Melanie

**mc12345678** · 15 Mar 2019, 05:17 PM

Also, as you navigate your site, does the web address always have zenid=xxxx at the end of the address on every page or just at the first click?

If it is every page, what php version are you using?

**harry2cool** · 18 Mar 2019, 11:12 AM

Session Directory /xyz
Cookie Domain True Info
Force Cookie Use False
Check SSL Session ID False
Check User Agent False
Check IP Address False
Prevent Spider Sessions True
Recreate Session True
IP to Host Conversion Status true
Keep Vistors Cart True
Days Before Cart Expires 30
Keep Cart Secret Key xyz
Use root path for cookie path False
Add period prefix to cookie domain True

==================

I do not see zenid=xxxx always, only one off times while I navigate the website.

**mprough** · 18 Mar 2019, 01:46 PM

Some thoughts, the Keep Cart was not written for Zen Cart 1.5.5 and bumping your PHP to 7.1. From the perspective here on the forum this is difficult to try and troubleshoot.

It's a pretty concerning situation. If you don't find an issue troubleshooting, then next time someone complains to you about it.... try to get as much information as possible. Such as:

- browser & version
- operating system
- what page they logged in from if more than one login form exists

~Melanie

**harry2cool** · 18 Mar 2019, 06:46 PM

The "Keep Cart" is not causing the issue cause we use this on our other websites too which have higher version of Zencart and Php and all works well.

Nothing shows on the logs too, the only thing we can guess is probably we must be working on the website at that moment.

Still not able to reproduce this issue, anything I can lookout to know the reasons ?

**mc12345678** · 18 Mar 2019, 10:50 PM

If a link has been shared that has the zenid on it, then all accessing that link will "share" what they have. If they happened to first arrive at the site and put something in the cart, then everyone that arrived with that zenid will see the new addition as they navigate. If one of them then logs in, then they will all basically be logged in...

Would add to mprough's list: how did the person get to the site? E.g. Email link from a newsletter or other correspondence from the store, web search result, some other website's posting, bookmark?

**harry2cool** · 25 Mar 2019, 02:52 AM

Can the below "RCS" email cause any issues, I do not see zenid but do see some string after the urls i.e "de6e4f9331e52e67e9e8291089a15d84"

https://www.mydomain.com/categorypat...e8291089a15d84

Also I have reduced session.gc_maxlifetime from 36000 to 7200

Thanks