Cart not refreshing in browser for different users.

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
9/1/2009 3:32:56 PM
davidgdean
Gravatar
Total Posts 131
View Posts

Cart not refreshing in browser for different users.

On Vista, IIS 7.0, 2.3.1.6, when a user puts an item in the cart, exits mojo, another user logs onto the same pc, signs in, the cart items are still in the cart.

 

9/2/2009 8:15:56 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Cart not refreshing in browser for different users.

Hi David,

I did discover an information disclosure bug but not the same as what you are suggesting.

The cart cookie is persistent so if a user logs out and comes back the items are still in their cart. This is a feature not a bug. 

This only happens if its the same windows user, then he still has the same cart cookie. If a different windows user signs into the machine he does not share cookies with other users, so this can't happen if a different windows user signs in to windows then signs into mojoPortal as a different mojoportal user they will not have the same cart.

If he signs in as a different windows user he gets a different cookie but if he signs in as the same mojoportal user (from any machine) we do find his existing cart. Again this is a feature not a bug. 

The bug I did find is that if using Authorize.NET or PlugNPay if the user proceeded to the point of entering his billing address that is also perisisted and this information could be seen by a user who signed into windows as the same windows user and inherited the cart cookie and signed in as a different mojoportal user and proceeded to checkout. Then when he proceeded to checkout he could see the previous user's address info. This is now fixed in my copy and it is not an issue for anyone using only PayPal or google checkout because this info is never entered in those cases. Note however also, if a user has made an order in the past and comes back and proceeds to checkout (again only in the case of Authorze.NET or PlugNPay) we pre-populate the billing address from his most recent previous order for convenience.

So there was an information disclosure bug in the case of using Authorize.NET or PlugNPay, in the scenario of a public computer like an internet cafe where different users access the same pc but using the same windows login. If the first user proceeded far enough to enter and save their billing info then abandoned the cart, then the next cafe user if he went to the same site and signed in and proceeded to checkout could see the address info of the previous user.

This is now fixed in my copy and will be fixed in the next release so we clear the address info if the mojoportal user changes to a different user than was attached to the cart previously. Its very unlikely that this scenario is actually happening anywhere in the wild but its an important fix.

Best,

Joe

9/3/2009 11:17:44 AM
davidgdean
Gravatar
Total Posts 131
View Posts

Re: Cart not refreshing in browser for different users.

Hey Joe, the issue is that if two different mojo users log in on the same windows account, the second mojo user will see the first mojo users cart. In security terms, pretty small issue unless two mojo users were using a shared / public windows PC and the windows user didn't refresh.

As for the authorize.net bug, thanks for pointing that out. I'll look for the fix in SVN. It would effect PayPalDirect as well, I assume.

Thanks

 

9/3/2009 11:24:52 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Cart not refreshing in browser for different users.

I don't see anything particularly of concern if a different user sees the previous user's cart items as long as that is all they see. Its a far more common scenario that users are not sharing the same pc and therefore more important to optimise it for the user by retaining the cart items. I'm pretty sure the same thing happens on Amazon if logged into windows as the same user. There is no personal information disclosed and the second user has no way of even knowing who the previous user was. It may be inconvenient that there is already something in the cart but that inconvenience for the rare case is less important than the convenience for the most common case in my opinion.

The other issue is already fixed in svn trunk as of last night.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.