[ic] Session auto-populated with another users data

[Paul Jordan]

interchange-users-bounces at icdevgroup.org wrote:
> On Thu, 8 Nov 2007, Aaron Berg wrote:
> 
>> I've run into an issue with session creation.  A member of our staff
>> was testing one of our IC sites and she had a customers data
>> automatically pulled into her session.  She clears her cache and
>> cookies daily.  The steps she followed are:
>> 
>> Open browser
>> Go to site
>> Add an item to the cart
>> Check out
>> Choose country
>> 
>> Then on the 'Shipping Address' page she was presented with the
>> details of another user.  She had not view this site in quite some
>> time and had not logged into the admin.  Closing the browser and
>> repeating the steps presented her correctly with an empty 'Shipping
>> Address' form. 
>> 
>> Hopefully this is not an issue with Interchange, but I'm not seeing
>> how the browser could have caused this to happen as there were no
>> saved cookies or cached data. 
>> 
>> Does anyone have any ideas on how I can fully isolate the cause of
>> this? 
> 
> Does she log into the Interchange admin? Edit orders or
> customer data? The
> default Interchange admin uses the same session that the
> storefront does,
> so information can leak that way for an admin user. (Customers would
> never see this.)
> 
> You said above that "She clears her cache and cookies daily",
> but only
> daily gives plenty of time for session info leakage to happen.
> 
> One way to narrow down the problem would be to have her use
> an entirely
> separate browser when using the admin vs. the customer-facing
> store. That
> is, use Firefox vs. Safari vs. IE, not just a separate window or tab.
> 
> Jon

I find this happens VERY frequently when simply using another tab (at least
within IE). I've only seen this within a new browser instance when still logged
into the admin. Of course, different browsers would not produce this.

So, I guess I am just agreeing with Jon :-)

Paul Jordan

Gish Network
  For Print, Web and Life
  paul at gishnetwork.com