How could this happen?

[pbo808]

A client received the following email from a customer:

> Hello, my name is ABC, and I went to make an order today and
> when I made the order, I realized I was somehow logged on to
> someone else's account (???). Wish I had paid more attention while
> making the order. I am concerned about this for privacy issues,
> obviously. From what I remember, the account was that of a XYZ.
> This greatly worries me. Probably not a whole lot that
> can be done now, but any help/insight would be appreciated. Thanks.

ABC was a new customer and XYZ's account was over a year old. ABC's order was placed as XYZ's - as is mentioned above. XYZ had placed and order a half hour before ABC placed his and the order ids are consecutive.

ABC was using his own laptop and internet connection.

Strange, eh? Any ideas?

Thanks!

[Merlinpa1969]

ask them WHERE they hit the link from,
how did they get to the site,
its possible and probable that they came from a link with a zen ID attached to it

[pbo808]

Interesting thought - I'll check the logs, but for that to happen wouldn't XYZ have to send ABC a link? It's my understanding that ABC and XYZ don't know each other.

How else could a link with someone's zen ID be "out there". How would a link with a zen ID be in a URL? It's a cookie, right?

[Merlinpa1969]

If someone Sends a link
or copies and pasts a link somewhere,
it happens all the time,
make sure to set spider sessions to false,

[jettrue]

Interesting thought - I'll check the logs, but for that to happen wouldn't XYZ have to send ABC a link? It's my understanding that ABC and XYZ don't know each other.

How else could a link with someone's zen ID be "out there". How would a link with a zen ID be in a URL? It's a cookie, right?

XYZ could have posted in a forum about the some great deal at your site, and the link had the zenid in it. ABC clicks the link, your site things ABC is XYZ. The zen id is in the link upon the person's first visit to the site, then it goes away. A lot of times, the very own store owner posts a link with a zen id in a forum, then there's a TON of issues.

[pbo808]

I do see some zenid entries in the apache log file - including some from Google referrers.

What would cause the zenid to be in the URL? I noticed that when I browse the site using Firefox on Ubuntu (feisty) there are no zenids in the urls even when I'm logged in. If a user has cookies disabled?

[pbo808]

Prevent Spider Sessions is true, but Force Cookie Use is false. Should Force Cookie Use be set to true?

[DrByte]

Leave the cookie-use settings alone.

Set Recreate Session to true if you want to prevent folks from coming in on re-used zenid links.

The most common cause of zenid links getting posted is ... someone does a copy/paste from the site onto an email or a blog etc. Not necessarily you ... perhaps someone fond of your products, sharing the links with a friend.

[pbo808]

Thanks for the reply DrByte... I'll check into the Recreate Session param.