Customer data errors after order # 1000

[Bassmaster]

After reaching order number 1000 I have had some strange things happening.

Examples:

A customer creates an account, places order, logs out and returns to place a second order, their address has changed to the customer who create an account after them. The Shipping and billing address, email address and phone number. When they try log in to the account the see the other persons address information. This has happened 4 times since order #1000. Never had anything like this happen before. Are there any issues I need to address.

[michael_s]

Nothing to do with order number... you have hardcoded session ID's somewhere in your custom html on your site.

This will have all new customers using the same session, so they will see others info if they come on to the site before the session times out. Get rid of all hardcoded session id's from your custom html and the problem will go away...

[Bassmaster]

Thanks for the reply Michael. I spent 8 hours looking today and could not find any session ids hard coded anywhere. I checked the define main page and all products related to the mixed up customers and check all products added since order # 1000. I am very careful not to include session ids in anything I post. Could it be something else or could it be related to something else, Like could it be related to affiliate programs? I looked and looked but cant find one session id.

[michael_s]

Send me a link to the site. That is what it is for sure. It is a session ID posted in a link somewhere. It cannot be anything else, as that is the only way one session info can show up in multiple browsers.

They are both using the same session ID, and since PHP randomly generates them, the only way is if they are linking in with a hardcoded session ID somewhere.

[Bassmaster]

Hello Michael,

I deleted the links we thought were causing the problems from the main page and everything seemed fine for a few days. However today it happened again. I had two customers contact me and said after they click to my site from Froogle, they were able to see someone else's account. So I think there may be a problem with the Froogle feed. I tried to recreate the problem but was unsuccessful. Do you have any thought on this new information? Are sessions necessary?

Thanks
CW

[ganast]

This is very interesting to me as I have had similar issues and cannot figure out how.

Interestingly mine happened another way... in some cases a Pay Without Account customer would not checkout for a while... then (partly because of code that I contributed here: 062: Can create a customer account with the same email address as a 'MIA' PWA account - Bug Tracker - open source Commerce Maximized :: osCMax) the customer's info would often be deleted...

Because of this the orders.php class would return a completely blank set of variables. This would occasionally result in a "blank order" where the order was submitted but there was no contact information... however, after some other change I made (could be a hard coded sessid... but I don't think so) it resulted in customers getting the $order->customer[] info from a different customer written to their TABLE_ORDERS record!

It took me a lot of work to figure out what was happening... I still don't understand how the record was getting messed up. I do, however, have a preliminary fix that looks like this:

Every time the order class is instantiated I check to see if it is empty... if so I unregister a bunch of session variables and send the user back to login with a time out error... unfortunately this is all in a cart that only uses PWA... It is also an oscmax1.7 cart with PWA .71... so I need some comment from others. Here are the code changes:

File includes/classes/order.php
Changed the constructor as follows:

Code:

    function order($order_id = '') {
      $this->info = array();
      $this->totals = array();
      $this->products = array();
      $this->customer = array();
      $this->delivery = array();

      if (tep_not_null($order_id)) {
        $this->query($order_id);
      } else {
        $this->cart();
      }
          // BOF: FyreEngine change made on 4/10/2007 to identify customer records that have been deleted.
          $this->no_data = false;
          if ($this->customer['firstname'] == '') {
            $this->no_data = true;
          }
          // EOF: 4/10/2007
    }

Then each place the order class is instantiated this:

Code:

// BOF: FyreEngine 4/10/2007 identify missing customer records...
  if ($order->no_data == true) {
    tep_session_unregister('customer_id');
    tep_session_unregister('customer_first_name');
    tep_session_unregister('customer_default_address_id');
    tep_session_unregister('customer_country_id');
    tep_session_unregister('customer_zone_id');
    tep_session_unregister('newsletter'); // FyreEngine variable add 3/27/2007
    tep_session_unregister('noaccount');
    tep_session_unregister('sendto');
    tep_session_unregister('cartID');
    tep_session_unregister('comments');
    tep_session_unregister('shipping');
    tep_session_unregister('billto');
    tep_session_unregister('payment');
    tep_session_unregister('comments');
    $navigation->set_snapshot(array('mode' => 'SSL', 'page' => FILENAME_CHECKOUT_PAYMENT)); // you can change this or leave it out...
    tep_redirect(tep_href_link(FILENAME_LOGIN, 'login=fail&reason=' . urlencode('If you don\'t complete your order within 30 minutes, your personal information is reset. Please enter it again to complete your order.'), 'SSL'));
  }
// EOF: FyreEngine 4/10/2007

Interestingly, this not only fixed the blank orders issue, it completely fixed the situation where customer A would get customer B's $order->customer information written to their TABLE_ORDERS record.

--gabe

[Bassmaster]

I found this article on the net which is my exact problem.

MySQL DBA: OSCommerce Orders Mixing Up / Sessions Being Stolen


After doing a search on Google for my url I found many links with osCsid=8ac when I click those link Walla I am in someones account.

I also did a complete search of my store database and only found one hit for that session id which was "whos online" So its not hard coded anywhere on my site.


Sessions are set to the following

Session Directory /tmp
Force Cookie Use False
Check SSL Session ID False
Check User Agent False
Check IP Address False
Prevent Spider Sessions False
Recreate Session True

So my question is what do I do now. Can I block that session id? I am at a complete loss and its really starting to cause big problems for my store.

FIX: Michael informed me the problem was a session setting:

Prevent Spider Sessions False

Should be set to True. I have made the changes and the problem will go away when the spiders update my site. Since I used "Recreate Sessions" customer Sessions have been updated so it is no longer an issues.

Thanks Michael. I appreciate your time.