[TYPO3-commerce] Important: baskets seem to get shared among fe_users (security issue?)
Franz Koch
typo.removeformessage at fx-graefix.de
Fri Sep 7 19:02:16 CEST 2007
Hi list,
I have a strange behaviour and maybe a "security" issue. I login as
userA, put some articles into the basket, don't go to checkout, log off
and then login as userB. After that I see the basket of userA. This bug
is not related to page caching and it's not related to permalogin as it
seems (the effect occurs with and without activated permalogin when
logging in).
The next unexpected behavior is, that when I switch browsers on the same
computer, I get two different baskets. Maybe not what a regular user
expects.
I think there should be something changed in the basket handling -
speaking it should primary be bound to the fe_user ID instead of the
session_id (which leads to problems as you can see), which could be a
second binding.
Anybody else can reproduce this? I used FF and IE and logged in with the
users vice versa, so f.e. in FF userA saw and shared the basket of the
FF-session from userB and in IE userB saw and shared the basket of the
IE-session of userA.
When doing changes on basket handling, at least the db could be prepared
for multi-basket handling, so that users can store baskets for later,
can view old baskets/orders and so on.
using:
- typo3 4.1.2
- commerce 0.9.3 SVN from 02.09.2007
Any ideas?
--
Kind regards,
Franz Koch
More information about the TYPO3-project-commerce
mailing list