Session Issue - Customer Logs in and sees another customers account

**czemel** · 18 Jan 2008, 01:33 AM

I'm quite aware of all the threads discussing sessions and fixes for session crossing. Here's the issue:

A while back I had a customer submit an issue where they were being logged out when they tried to checkout and they were not able to complete an order. So I switched Recreate Sessions to false and it resolved the problem and since then I did not have an issue in regards to that.

Yesterday, we installed an SSL certificate on the domain (this may or may not be important).

In any case, today, when one customer logged in, the account information of another user was shown (they placed an order thrugh Paypal IPN where the Paypal IP showed the customers correct info, but the Order generated in zencart was under a different users account who never placed an order as of yet... they notified us of this).
While I may be tempted to set recreate sessions to true, I would risk having the issue as I had a while back. So this is a double edged sword as it would seem. So, I'm begging for any guidance as to how to resolve this issue. Below are our configuration settings:

Cookie Domain True
Force Cookie Use False
Check SSL Session ID False
Check User Agent False
Check IP Address False
Prevent Spider Sessions True
Recreate Session False
IP to Host Conversion Status true

I read something about "AOL and other big ISPs force all web traffic through a load balanced set of proxy servers, causing users to "change IPs" mid-session, or something like that.. it also seems to happen if for some reason multiple users come from the same IP (NAT, or multiple browsers, as you suggest)."

We are using version 1.3.7.1.
Any help would be greatly appreciated.

PS: All links to the site are advertised without any session id info in the url.

Thanks.

**Merlinpa1969** · 18 Jan 2008, 02:55 AM

set
Recreate Session False to true

sounds like you have a url posted out there somewhere with a session ID ( zenid ) attached to it

**czemel** · 18 Jan 2008, 05:54 AM

Hi,

Thanks for the reply.

>set Recreate Session False to true
If I do this then I am concerned I will get the original issue (that was resolved when switching Recreate Sessions to false) where some people were getting logged out of their cart during the checkout process.

>sounds like you have a url posted out there somewhere with a session ID ( >zenid ) attached to it
Lets assume you were correct. Here's a question for you. If User A posts a link on the internet with the session ID. If User C then clicks on that link can s/he then possibly see account info for User B or just User A. If its just user A, then I am 100% positive this didn't happen. If User C could see User B info (or any other user for that matter), then it would be impossible to know for sure and I would seriously be concerned about the security in general.

Any input would be great...

Thanks.

**czemel** · 18 Jan 2008, 06:41 AM

Originally Posted by czemel

Hi,

Thanks for the reply.

>set Recreate Session False to true
If I do this then I am concerned I will get the original issue (that was resolved when switching Recreate Sessions to false) where some people were getting logged out of their cart during the checkout process.

>sounds like you have a url posted out there somewhere with a session ID ( >zenid ) attached to it
Lets assume you were correct. Here's a question for you. If User A posts a link on the internet with the session ID. If User C then clicks on that link can s/he then possibly see account info for User B or just User A. If its just user A, then I am 100% positive this didn't happen. If User C could see User B info (or any other user for that matter), then it would be impossible to know for sure and I would seriously be concerned about the security in general.

Any input would be great...

Thanks.

I did some further research and I even found the session ID (I found the customers payment through the Paypal IPN debug logs which provided the zencart session ID). Then I searched through referral logs and the occurrence of this session ID occurred many times for different visitors (IP addresses). And non of the referal url were external websites.

Whats interesting is this session id was used many times over the past 15 hours. I also did see other ids show up, but this one showed up a lot.

**czemel** · 18 Jan 2008, 08:14 PM

I found the source of the issue. It turns out two people clicked on an add that had the same session id. So they were forced to the same session which explains everything. I will speak to my client to ensure she does not use the session id when doing any links or advertising.

Thanks for all the help.