[TYPO3-commerce] Important: baskets seem to get shared among fe_users (security issue?)
Franz Koch
typo.removeformessage at fx-graefix.de
Fri Sep 14 13:45:41 CEST 2007
Hi Ingo,
> sorry for the delay, but I'm currently hardly involved in a other
> project. During the weekend I'll have the time to read the list and have
> a look at the patches and review them.
It didn't mean you (or Volker) in person - you're not the only one(s) on
this list ;) But I totally understand you as I've been in the same
situation the last two weeks (with my now almost finished commerce project).
> Your Issue is strange for me, since it's working for me all the time.
> Just for my information: Are you using real url and how did you
> configure the basket hash value?
Yes, I use realUrl - but it's not configured for commerce (didn't like
the current approaches and didn't have the time to experiment with that)
- so it's no realUrl path-cache problem.
Configure the basket hash? I haven't seen any option to alter the
basketHash values. As far as I see it's generated by using md5 on the
serialized basket-item-array and there are no hooks or any other
configuration option except of xclassing.
Btw - the basketHash is a bad idea for usage with pi1 and cached content
as long as it contains a md5 on the massively changing basket items and
not f.e. usergroups. With current setting it will generate a massive
amount of cache-pages and will most likely not bring any speed
improvements, because the always changing hash-values "forces" TYPO3 to
generate a new (afterwards cached) page "from scratch" on almost any
viewed page for the current user.
So it'll be far better to use the usergroups for the hash to get correct
caches based on the users rights. As the basket (pi2) is USER_INT it's
not affected by any caching - so there is no need for a "basket"-hash
but more a hash based on user-rights.
When doing so, it'll no longer be possible (except with AJAX or some
other nice JS tricks within a USER_INT plugin) to show the current stock
of a article in the 'add to basket' form as it will get cached. But as
mentioned - it then could be done with a little JS call, generated by a
pi2-instance on the page (which is the case in most installations I guess).
Just some ideas.
--
Greetings,
Franz
More information about the TYPO3-project-commerce
mailing list