Results 1 to 3 of 3
  1. 27 Jul 2023, 04:00 PM #1
    spyderrobotics
    spyderrobotics is offline New Zenner
    Join Date
    Oct 2007
    Posts
    68
    Plugin Contributions
    0

    Default [not a bug] security issue with shared cart url/link

    Using v1.5.7c on my site and a customer was logged into their account and then was viewing a product.

    They wanted to share that info with a friend and copied the URL and pasted into an email to the friend.

    The friend pulled the link up on their computer and since the original account owner was still logged in on his computer the site let his friend see all his account info just as if he has logged in with email/password credentials.

    I was able to recreate this. Is there something in the site that can be configured so that a even though another person has the zenid= in the link it doesn't consider them an account owner and log them in?
    Reply With Quote Reply With Quote
  2. 27 Jul 2023, 04:07 PM #2
    spyderrobotics
    spyderrobotics is offline New Zenner
    Join Date
    Oct 2007
    Posts
    68
    Plugin Contributions
    0

    Default Re: security issue with shared cart url/link

    I found an old thread talking about this:

    https://www.zen-cart.com/showthread....rce-Cookie-Use

    I am not sure if this is still current for 1.5 zen versions and if there is a better way to handle it. I would think sharing a link with the zenid still shouldn't allow access to the account configuration portion. Do people have any problems with forcing cookies at this point?
    Reply With Quote Reply With Quote
  3. 29 Jul 2023, 08:53 PM #3
    DrByte's Avatar
    DrByte
    DrByte is offline Sensei
    Join Date
    Jan 2004
    Posts
    66,373
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: security issue with shared cart url/link

    You will need to force cookie use for the zenid to disappear from the URL for regular shoppers. If the customer blocks cookies in their browser (which can be done in various ways, including some uses of incognito/private-browsing mode), then the fallback will be that the zenid gets added to the URL for that customer.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
    Reply With Quote Reply With Quote
 

 
« Previous Thread | Next Thread »

Similar Threads

  1. Shopping Cart Product link not working - SEO URL problem
    By oberheimer in forum All Other Contributions/Addons
    Replies: 0
    Last Post: 1 Nov 2011, 12:03 PM
  2. return URL (shared SSL) takes to URL that is not SSL?
    By Thannaree in forum PayPal Express Checkout support
    Replies: 0
    Last Post: 27 Jan 2011, 04:18 AM
  3. [Not a bug] No link to forums from www.zen-cart.com main page
    By chevy in forum Bug Reports
    Replies: 1
    Last Post: 12 Oct 2007, 07:44 AM
  4. Shared SSL with SEO URL's
    By yulises in forum General Questions
    Replies: 25
    Last Post: 8 May 2007, 04:13 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR
Content and Graphics Copyright (c) 2003 - 2024 Zen Ventures, LLC - all rights reserved
Zen Cart® is a Registered Trademark of Zen Ventures, LLC