[TYPO3-commerce] Important: baskets seem to get shared among fe_users (security issue?)

[Franz Koch]

Hi list,

I have a strange behaviour and maybe a "security" issue. I login as 
userA, put some articles into the basket, don't go to checkout, log off 
and then login as userB. After that I see the basket of userA. This bug 
is not related to page caching and it's not related to permalogin as it 
seems (the effect occurs with and without activated permalogin when 
logging in).

The next unexpected behavior is, that when I switch browsers on the same 
computer, I get two different baskets. Maybe not what a regular user 
expects.

I think there should be something changed in the basket handling - 
speaking it should primary be bound to the fe_user ID instead of the 
session_id (which leads to problems as you can see), which could be a 
second binding.

Anybody else can reproduce this? I used FF and IE and logged in with the 
users vice versa, so f.e. in FF userA saw and shared the basket of the 
FF-session from userB and in IE userB saw and shared the basket of the 
IE-session of userA.

When doing changes on basket handling, at least the db could be prepared 
for multi-basket handling, so that users can store baskets for later, 
can view old baskets/orders and so on.

using:
- typo3 4.1.2
- commerce 0.9.3 SVN from 02.09.2007

Any ideas?

--
Kind regards,
Franz Koch