Post by MJimprints » Tue Sep 29, 2020 4:58 am

I'm having an issue on my site where some customers are being automatically logged into a different user's account as soon as they enter the site.
This has happened twice now, and orders were placed both times to accounts that weren't even theirs.
I recently upgraded my site from 2 to 3.0.3.2. Any help would be greatly appreciated!

Newbie

Posts

Joined
Tue Sep 29, 2020 4:48 am

Post by ADD Creative » Tue Sep 29, 2020 7:12 am

Are you using any theme, extensions or modifications that could affect sessions or caching? Are you using any form of site caching? Is your site a very busy site with a bloated session table in the database?

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by paulfeakins » Tue Sep 29, 2020 5:29 pm

MJimprints wrote:
Tue Sep 29, 2020 4:58 am
I recently upgraded my site from 2 to 3.0.3.2. Any help would be greatly appreciated!
And how did you do that?

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Guru Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by MJimprints » Tue Sep 29, 2020 10:17 pm

Thank you. I upgraded the site w/a new install and then copied all the necessary db tables from my old site.
Default theme. Don’t know of any extensions that would affect sessions or caching. I’m using GoDaddy w/website security & firewall which has minimal caching.
I can’t duplicate the problem myself, but I’ve had multiple customers call in about it.
Trying to figure out if it’s a problem w/my install or my hosting.

Newbie

Posts

Joined
Tue Sep 29, 2020 4:48 am

Post by MJimprints » Tue Sep 29, 2020 11:10 pm

Tried clearing all my caches & repairing database, but still not fixed.

Newbie

Posts

Joined
Tue Sep 29, 2020 4:48 am

Post by letxobnav » Tue Sep 29, 2020 11:14 pm

The only way a user can get signed in as another is when he/she gets the same session id.
That can only happen when:
1) you issue the same session id to multiple users which is doubtful.
2) a hacker is accessing your site with a random session cookie hoping he is very lucky that that id is still around (but he would not complain).
3) these users are issued a session id which still lingers in your session table or session directory (depending on where you store your session data).
The chance of that happening is very small but increases when you do not clear that store regularly and it fills up fast.
Hence ADD Creative's question about a bloated session table/directory.

The only way to prevent that is to check if a generated session id already exists in the table/directory before issueing it but regularly performing session garbage collection should suffice.

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.


User avatar
Expert Member

Posts

Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan

Post by letxobnav » Tue Sep 29, 2020 11:16 pm

Tried clearing all my caches & repairing database, but still not fixed.
How do you know if you cannot reproduce it?

check the amount of records in your session table if you store them there.

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.


User avatar
Expert Member

Posts

Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan

Post by MJimprints » Tue Sep 29, 2020 11:59 pm

Ok, my session table (oc_session) is pretty large. Can I empty it? Sorry, not very familiar with this.

Newbie

Posts

Joined
Tue Sep 29, 2020 4:48 am

Post by letxobnav » Wed Sep 30, 2020 12:15 am

"pretty large" is a qualification not a quantification, how many records?

You can delete them but better to put your site in maintenance mode first as active users would lose their session content (being signed out, preferences like language and currency reset, carts emptied etc.), no big deal but an inconvenience.
you can sort them on expire and leave the latest in there as they are the most likely active.

There have been issues with session garbage collection when storing the sessions in the database but I believe someone had a fix for that.
I store mine in files as is the normal way of doing it.

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.


User avatar
Expert Member

Posts

Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan

Post by MJimprints » Wed Sep 30, 2020 12:20 am

Thanks for your help. Table has 72,000 records now.
I'll put into maintenance mode for now & clear it.

How can I store them in a file instead of db?

Newbie

Posts

Joined
Tue Sep 29, 2020 4:48 am

Post by letxobnav » Wed Sep 30, 2020 12:59 am

that is indeed a lot.

As said, I put them in files via:

in your system/config/default and catalog files instead of

Code: Select all

$_['session_engine']    = 'db';
you set

Code: Select all

$_['session_engine']    = 'file';
then in you normal config.php files (catalog and admin) you define your DIR_SESSION to where you want to store them (outside of root, I put them on a ram disk)

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.


User avatar
Expert Member

Posts

Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan

Post by MJimprints » Wed Sep 30, 2020 1:20 am

I'll give that a try. Sure appreciate all your help on this!

Newbie

Posts

Joined
Tue Sep 29, 2020 4:48 am

Post by MJimprints » Wed Sep 30, 2020 1:54 am

Sorry, one more question. It's all set to save to a file now. Will I need to clear this directory out manually on a regular basis?

Newbie

Posts

Joined
Tue Sep 29, 2020 4:48 am

Post by straightlight » Wed Sep 30, 2020 2:24 am

MJimprints wrote:
Wed Sep 30, 2020 1:54 am
Sorry, one more question. It's all set to save to a file now. Will I need to clear this directory out manually on a regular basis?
Yes. Otherwise, you could create a cron job, or an OC event, to automatically clear out these files automatically on a periodic time.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member
Online

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by letxobnav » Wed Sep 30, 2020 9:38 am

this is done automatically already, no cron job required.

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.


User avatar
Expert Member

Posts

Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan
Who is online

Users browsing this forum: pprmkr and 31 guests