Home » Projects » Ubercart Contributed Modules » Ubercart Contributions » Issues

customers losing cart contents in checkout - session crossing/hijack problem?

Submitted by spiderman on Tue, 10/09/2007 - 12:38
Project:Ubercart Contributions
Component:Code
Category:bug report
Priority:critical
Assigned:spiderman
Status:active
Description
Project: 
Ubercart

as of late last week, the folks at SCW are getting many customers reporting that they are getting the wrong cart contents when they go to the checkout.

when viewing the cart/ page, customers will see their order, but when clicking checkout, it shows them order details from a completely different customer. obviously this is a serious problem, and we are actively trying to track it down. as yet, i've been unable to reproduce the bug, but we have a strong suspicion it's related to a similar problem experienced by another client who's using ZenCart. also, we have determined that the other customer is one who is also shopping at the exact same time- it appears whichever of the two orders completes first then takes over the cart of the second order.

this thread (and this one too) describes a problem where customers coming from behind a big ISP proxy will end up experiencing something similar to the problem we're seeing on ubercart because the session handling code gets its wires crossed as shoppers appear to be coming from the same IP.

in the case of ZenCart, we solved the issue by turning on the following options:

  • force cookie use
  • Check SSL Session ID
  • Validate the SSL_SESSION_ID on every secure HTTPS page request.
  • Recreate Session
  • Recreate the session to generate a new session ID when the customer logs on or creates an account (PHP >=4.1 needed).

unfortunately, afaict there are no analogous settings in drupal/UC, since cookies are always used to track user sessions. i've hunted through drupal.org and ubercart.org extensively, and can find no reference to this kind of problem.

the closest i could find were threads like this one which appears to be unresolved, tho i can't really tell if some other solution to this problem was implemented at some point. i also know that drupal has had one XSS vulnerability that was fixed in 4.6, but i assume this is no longer an issue.

one other relevant point: having decided that the site launch was successful and most of our development efforts complete, i turned on the "standard" drupal page caching mechanism late last week. reports of this problem only began after that configuration change, and so i'm guessing it may be related (in the meantime, i've turned caching off again).

anyway, any help/insight/feedback on this is greatly appreciated, obviously Eye-wink

thanks!
spidey
Tue, 10/09/2007 - 14:29
#1 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
Re: customers losing cart contents in checkout - session crossin

Oof... caching is on my list of things to revisit. I'm curious to know what sort of details they're seeing from other customers... is it actually filling out form fields for them (very bad) or is it just displaying the wrong cart contents? Either way, I'm not sure if that would be a caching problem or not, and I haven't heard of the session issue before. Is there any way to duplicate the issue?

Maybe related... on the same machine, I can login to this site using IE and Firefox and have two different sessions, so I'm not sure if this would be related to IP address. Did that matter to the issue as experienced by Zencart?

Top
Wed, 10/10/2007 - 01:16
#2 View page
spiderman
spiderman's picture
Offline
Bug FinderGetting busy with the Ubercode.
Joined: 08/17/2007
Juice: 61
oof indeed.
Assigned to:Ryan» spiderman

ya, this is a nasty one- it *is* actually filling out form fields, tho fortunately the cc masking code is kicking in, so people are just seeing address/contact info for ppl they don't know (bad enuf, but could be worse).

i've had trouble reproducing the error, although i was told today that the client was able to do so by running two orders through at *exactly* the same time.

as i understand, in the case of zencart, it appeared to have to do with the way that AOL and other big ISPs force all web traffic through a load balanced set of proxy servers, causing users to "change IPs" mid-session, or something like that.. it also seems to happen if for some reason multiple users come from the same IP (NAT, or multiple browsers, as you suggest).

in any case, i'm keeping my fingers crossed that it's a cache problem, and waiting to hear confirmation that they haven't had any further reports of this error since we turned drupal caching *off*.

meantime, maybe the morning will bring fresh ideas Eye-wink

*sigh* what a day..
spidey

Top
Wed, 10/10/2007 - 08:49
#3 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
Re: oof indeed.
Assigned to:spiderman» Ryan

Yeah, let me know. Caching is on my list of things to address (and I thought I had done some already). I also thought I had implemented a double check based on the referrer URI to prevent someone else's data from being displayed, but I'll revisit that code.

Top
Wed, 10/10/2007 - 10:17
#4 View page
spiderman
spiderman's picture
Offline
Bug FinderGetting busy with the Ubercode.
Joined: 08/17/2007
Juice: 61
caching seems to be the source
Assigned to:Ryan» spiderman

we have a tentative confirmation today that the problem is resolved. they are no longer able to reproduce the error, and as yet have received no further complaints from customers. we are working our way through the bunch of orders that are "in checkout" but already processed, and keeping our fingers crossed that caching was indeed the source of the trouble.

Ryan: thanks for your thinking on this, and i hope your review of the relevant chunks of code reveals something helpful Eye-wink

Top
Wed, 10/10/2007 - 17:47
#5 View page
phillipadsmith@...
phillipadsmith@drupal.org's picture
Offline
Joined: 10/10/2007
Juice: 2
Quick download of my findings...
Assigned to:spiderman» phillipadsmith@drupal.org

Hi there,

After a review of when / how this issue seemed to be happening, I'm less convinced that it's got much to do with the ISP / IP / Proxy scenario, and more to do with the connection to the payment processor (in this case, Authorize.net). Turning off the caching does seem to solve the issue ... but, when you investigate, you may want to look at how the authorization or pre-auth is done.

From what I can tell, here was the chain of events:

* Customer goes to check out page and starts filling in the form sections
* At the Payment Method section, there seems to be a little pre-auth or something that happens for credit card orders
* At this point, two things happened: Customer A was charged for their cart order and Customer A was shown Customer B's information.
* And, Customer A's cart remained in a "checkout" state, not in a successful order state

When I looked at the logs, it appears that Customer As cart was created minutes before Customer Bs, but that the *credit card charge* got recorded at almost the exact same time as Customer Bs cart moved into a checkout status. Hence why I suspect that the authorization module + caching may be worth investigating.

HTH,

Phillip.

Top
Thu, 05/28/2009 - 14:22
#6 View page
janicenyland
janicenyland's picture
Offline
Joined: 06/11/2008
Juice: 48
Still an issue
Assigned to:phillipadsmith@drupal.org» janicenyland

Just wanted to let you know that we are still experiencing this issue. (or something with identical symptoms)
We have since turned off caching ... so.. we'll see if that resolves it...

We also noted that the there are two session cookies present when we saw this issue.
Our server loads sometimes spike very high (moving to a new server shortly) that may contribute to our ability to see this issue.
This may cause the PHP.cgi to issue different cookies?

Let us know if you have discovered any further information.... we will do the same.

Thanks,
Janice

Top
Thu, 12/30/2010 - 03:08
#7 View page
cfab
cfab's picture
Offline
Joined: 06/30/2009
Juice: 70
#7
Category:» bug report
Assigned to:janicenyland» spiderman

Hi there,

I'm reopening this old file since I'm facing this behavior today with the most recent version of UC : I've shared a cart with my client, he was anonymous and I was logged as admin.

I think the problem is caused by Boost and I'll correct it locally, but maybe some other tests would be necessary in order to prevent people using Boost with UC, or at least to take some precautions.

Regards,
TahitiClic

Drupal Powered Classifieds Site - Web site development in Tahiti

Top