[ic] Session auto-populated with another users data
Paul Jordan
paul at gishnetwork.com
Thu Nov 8 21:32:54 EST 2007
interchange-users-bounces at icdevgroup.org wrote:
> On Thu, 8 Nov 2007, Aaron Berg wrote:
>
>> I've run into an issue with session creation. A member of our staff
>> was testing one of our IC sites and she had a customers data
>> automatically pulled into her session. She clears her cache and
>> cookies daily. The steps she followed are:
>>
>> Open browser
>> Go to site
>> Add an item to the cart
>> Check out
>> Choose country
>>
>> Then on the 'Shipping Address' page she was presented with the
>> details of another user. She had not view this site in quite some
>> time and had not logged into the admin. Closing the browser and
>> repeating the steps presented her correctly with an empty 'Shipping
>> Address' form.
>>
>> Hopefully this is not an issue with Interchange, but I'm not seeing
>> how the browser could have caused this to happen as there were no
>> saved cookies or cached data.
>>
>> Does anyone have any ideas on how I can fully isolate the cause of
>> this?
>
> Does she log into the Interchange admin? Edit orders or
> customer data? The
> default Interchange admin uses the same session that the
> storefront does,
> so information can leak that way for an admin user. (Customers would
> never see this.)
>
> You said above that "She clears her cache and cookies daily",
> but only
> daily gives plenty of time for session info leakage to happen.
>
> One way to narrow down the problem would be to have her use
> an entirely
> separate browser when using the admin vs. the customer-facing
> store. That
> is, use Firefox vs. Safari vs. IE, not just a separate window or tab.
>
> Jon
I find this happens VERY frequently when simply using another tab (at least
within IE). I've only seen this within a new browser instance when still logged
into the admin. Of course, different browsers would not produce this.
So, I guess I am just agreeing with Jon :-)
Paul Jordan
Gish Network
For Print, Web and Life
paul at gishnetwork.com
More information about the interchange-users
mailing list