Customer account corruption

[HeleneWallis]

We've had a very troubling instance of two customers' data being combined into a single customer record. Let me say to begin with that even though I'm still a novice with PHP, I've been writing software since the days when you had to manually lock a record to prevent an update being over-written by another user on the network. I know how that is supposed to work, so please don't anyone tell me it can't happen. I would have expected PHP to have sufficient safeguards to prevent it, and if PHP does not, I would think MYSQL does (or in our case, I believe it's MariaDB).

What happened is that two people set up accounts apparently at just the same time. One of them placed an order. The other one was still thinking about it when she received an email that an order had been placed. It showed her name and address in the billing information, along with her email address and phone number. But the shipping information showed someone else's name and address. She emailed my company demanding to know what was going on. I looked at the order information on our credit card processor's site, and the order was properly charged to the second person, not the one who contacted me. So no fraud was involved. We know the second person did intentionally place an order, because she posted in a Facebook group where some of our orders come from that she had done so. She even named the products she had ordered and those were the ones in the order we received.

I think it's likely that the account corruption occurred when the credit card processor's system transmitted the second person's order details back to us, and over-wrote part of the first person's account setup. It shouldn't be possible for that to happen, but there is no question that it did.

I have screen shots of everything and can post them here if that would help. I'll have to disguise each person's name and street address first, but I will if requested. I have straightened things out with the person who contacted me, and I will get hold of the second person via Facebook to get an email address from her, since the account now shows the first person's email address. I told the first person, who did not place an order, that she would need to create a new account.

There is nothing the Zencart team can do about this occurrence, but you need to know that it happened.

[mc12345678]

Were both individuals attempting to purchase the same item?

If so, how did both of them arrive at the store to begin/make the purchase? E.g. Was a link published to the location and if so did it contain the parameter zenID?

[lat9]

What payment method was used?

[HeleneWallis]

No, they were not purchasing the same item. The first person (the one who contacted me) had an item in her shopping cart but it was different from the two items the second person actually ordered. Yes, a link was published to the category the second person's purchase was from, but not to either of the specific items. The link does contain the ZenID for that category.

I believe the first person also connected to the site from that link, from something she said, but I don't know that for certain. I will find out.

[HeleneWallis]

What payment method was used?

She paid with a credit card, but it was processed through Paypal, who is our credit card processor.

[lat9]

She paid with a credit card, but it was processed through Paypal, who is our credit card processor.

Right, but which version of PayPal: PayPal Payments Standard, PayPal Express Checkout or PayPal Payments Pro?

[mc12345678]

No, they were not purchasing the same item. The first person (the one who contacted me) had an item in her shopping cart but it was different from the two items the second person actually ordered. Yes, a link was published to the category the second person's purchase was from, but not to either of the specific items. The link does contain the ZenID for that category.

I believe the first person also connected to the site from that link, from something she said, but I don't know that for certain. I will find out.

Two ways to look at this. Good that so many people trying to get to the store at the same time (indicator of business and interest), not so good that those following the link are sharing the session. It sounds like at the point of purchase "completion" that person 1 (the one notifying) had basically already overwritten session information from person 2 which is what was returned. At the moment not entirely sure why only the customer information was overwritten and not other session data, but it seems (until additional information is gathered) that including the zenID (session identifier) for any/all to click and use contributed to this issue.

[HeleneWallis]

Right, but which version of PayPal: PayPal Payments Standard, PayPal Express Checkout or PayPal Payments Pro?

PayPal Payments Pro.

[HeleneWallis]

Two ways to look at this. Good that so many people trying to get to the store at the same time (indicator of business and interest), not so good that those following the link are sharing the session. It sounds like at the point of purchase "completion" that person 1 (the one notifying) had basically already overwritten session information from person 2 which is what was returned. At the moment not entirely sure why only the customer information was overwritten and not other session data, but it seems (until additional information is gathered) that including the zenID (session identifier) for any/all to click and use contributed to this issue.

Yes, that makes sense. I always remove the ZenID when I provide a link for someone, partly because it isn't required in order for the link to work, but also because the presence of all the other characters just makes the link so much longer. But someone else (an admin in the FB group) was the one who provided the link to the website. I'm going to ask her whether she went to the website at the time she provided the link, or if the whole thing has been in her notes for who knows how long. If it's a session ID from some point in the past, that has long since expired, that might have contributed to the problem. This admin is in Australia, though, 14 hours time difference from me, so it will be a while before I hear back from her.

[mc12345678]

Note that even if it is/was an expired session, if two or more people access the site with the link having the zenID in it, then they will share the "new" session.

There has been an additional check added in ZC 1.5.7 towards the end of checkout to inspect the validity of the cart for which the order is being processed against the cart currently in the session. I would think that adding that additional code may have also helped mitigate this occurrence as based on the information provided it seems that the cart contents would have been different and that would have resulted in returning to the shipping page to correct/address the issue. The code addition can be found here:
https://github.com/zencart/zencart/b...ess.php#L63-73 containing the following code:

Code:

// avoid hack attempts during the checkout procedure by checking the internal cartID
if (isset($_SESSION['cart']->cartID) && $_SESSION['cartID']) {
    if ($_SESSION['cart']->cartID != $_SESSION['cartID']) {
        $payment_modules->clear_payment();
        $order_total_modules->clear_posts();
        unset($_SESSION['payment']);
        unset($_SESSION['shipping']);
        zen_redirect(zen_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL'));
    }
}

(please note that if there are # symbols in the code, I apologize but sometimes when I copy and paste from github, such additional symbols are added. They are only visible after posting and usually with the time constraints between making the post and saving an edit, there is not enough time to correct it.