Suddenly started using another logged in user's session - Magento 2












3















This might be too broad of a question but it is a gigantic security issue and I have no idea where to start debugging this.



I was testing some features on my dev server while someone else was logged in on the frontend as well. At one point after refreshing I saw that I was suddenly logged in as the other user's account, I did not even know which email they were using and had never logged in with that account before but I could now do everything from change his password to place orders with his account.



As far as I know I'm not doing anything weird with sessions, but the most likely place I could see this going wrong is a Helper class that is used in various places but that is only used for getting the current user's customer group ID.



It is a fairly standard and clean Magento 2.1.9 installation on a LAMP stack, we started developing two weeks ago so we have one custom module that we are working on right now and no third party modules.






magento2 security session customer-session







share|improve this question

























  • It could be a cache issue. Confirm it by going through the checkout. You will not actually order as the other account.

    – Fabian Schmengler
    Sep 29 '17 at 6:17











  • I tried and I was able to actually place the orders and change their account information

    – Kaascroissant
    Sep 29 '17 at 8:03











  • As Fabian already mentioned: This can be a cache issue (do you use varnish?) or also a session problem. If the session lifetime is very long a session collission can occur. Apart from this I think you need to update your question with some more technical information to get some good answers and help here.

    – Anna Völkl
    Sep 29 '17 at 8:14











  • I do not use varnish, the sessions lifetime is a couple of minutes and at most 2 people log in at a time so I don't think it's a session collission. I have updated the question with some information about the version and modules, what other information would be useful to share? I'm not really sure what could cause this so I don't know what might be relevant.

    – Kaascroissant
    Sep 29 '17 at 8:32
















3















This might be too broad of a question but it is a gigantic security issue and I have no idea where to start debugging this.



I was testing some features on my dev server while someone else was logged in on the frontend as well. At one point after refreshing I saw that I was suddenly logged in as the other user's account, I did not even know which email they were using and had never logged in with that account before but I could now do everything from change his password to place orders with his account.



As far as I know I'm not doing anything weird with sessions, but the most likely place I could see this going wrong is a Helper class that is used in various places but that is only used for getting the current user's customer group ID.



It is a fairly standard and clean Magento 2.1.9 installation on a LAMP stack, we started developing two weeks ago so we have one custom module that we are working on right now and no third party modules.






magento2 security session customer-session







share|improve this question

























  • It could be a cache issue. Confirm it by going through the checkout. You will not actually order as the other account.

    – Fabian Schmengler
    Sep 29 '17 at 6:17











  • I tried and I was able to actually place the orders and change their account information

    – Kaascroissant
    Sep 29 '17 at 8:03











  • As Fabian already mentioned: This can be a cache issue (do you use varnish?) or also a session problem. If the session lifetime is very long a session collission can occur. Apart from this I think you need to update your question with some more technical information to get some good answers and help here.

    – Anna Völkl
    Sep 29 '17 at 8:14











  • I do not use varnish, the sessions lifetime is a couple of minutes and at most 2 people log in at a time so I don't think it's a session collission. I have updated the question with some information about the version and modules, what other information would be useful to share? I'm not really sure what could cause this so I don't know what might be relevant.

    – Kaascroissant
    Sep 29 '17 at 8:32














3












3








3








This might be too broad of a question but it is a gigantic security issue and I have no idea where to start debugging this.



I was testing some features on my dev server while someone else was logged in on the frontend as well. At one point after refreshing I saw that I was suddenly logged in as the other user's account, I did not even know which email they were using and had never logged in with that account before but I could now do everything from change his password to place orders with his account.



As far as I know I'm not doing anything weird with sessions, but the most likely place I could see this going wrong is a Helper class that is used in various places but that is only used for getting the current user's customer group ID.



It is a fairly standard and clean Magento 2.1.9 installation on a LAMP stack, we started developing two weeks ago so we have one custom module that we are working on right now and no third party modules.






magento2 security session customer-session







share|improve this question
















This might be too broad of a question but it is a gigantic security issue and I have no idea where to start debugging this.



I was testing some features on my dev server while someone else was logged in on the frontend as well. At one point after refreshing I saw that I was suddenly logged in as the other user's account, I did not even know which email they were using and had never logged in with that account before but I could now do everything from change his password to place orders with his account.



As far as I know I'm not doing anything weird with sessions, but the most likely place I could see this going wrong is a Helper class that is used in various places but that is only used for getting the current user's customer group ID.



It is a fairly standard and clean Magento 2.1.9 installation on a LAMP stack, we started developing two weeks ago so we have one custom module that we are working on right now and no third party modules.






magento2 security session customer-session




magento2 security session customer-session






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 29 '17 at 8:29







Kaascroissant

















asked Sep 28 '17 at 9:23









KaascroissantKaascroissant

36215




36215













  • It could be a cache issue. Confirm it by going through the checkout. You will not actually order as the other account.

    – Fabian Schmengler
    Sep 29 '17 at 6:17











  • I tried and I was able to actually place the orders and change their account information

    – Kaascroissant
    Sep 29 '17 at 8:03











  • As Fabian already mentioned: This can be a cache issue (do you use varnish?) or also a session problem. If the session lifetime is very long a session collission can occur. Apart from this I think you need to update your question with some more technical information to get some good answers and help here.

    – Anna Völkl
    Sep 29 '17 at 8:14











  • I do not use varnish, the sessions lifetime is a couple of minutes and at most 2 people log in at a time so I don't think it's a session collission. I have updated the question with some information about the version and modules, what other information would be useful to share? I'm not really sure what could cause this so I don't know what might be relevant.

    – Kaascroissant
    Sep 29 '17 at 8:32



















  • It could be a cache issue. Confirm it by going through the checkout. You will not actually order as the other account.

    – Fabian Schmengler
    Sep 29 '17 at 6:17











  • I tried and I was able to actually place the orders and change their account information

    – Kaascroissant
    Sep 29 '17 at 8:03











  • As Fabian already mentioned: This can be a cache issue (do you use varnish?) or also a session problem. If the session lifetime is very long a session collission can occur. Apart from this I think you need to update your question with some more technical information to get some good answers and help here.

    – Anna Völkl
    Sep 29 '17 at 8:14











  • I do not use varnish, the sessions lifetime is a couple of minutes and at most 2 people log in at a time so I don't think it's a session collission. I have updated the question with some information about the version and modules, what other information would be useful to share? I'm not really sure what could cause this so I don't know what might be relevant.

    – Kaascroissant
    Sep 29 '17 at 8:32

















It could be a cache issue. Confirm it by going through the checkout. You will not actually order as the other account.

– Fabian Schmengler
Sep 29 '17 at 6:17





It could be a cache issue. Confirm it by going through the checkout. You will not actually order as the other account.

– Fabian Schmengler
Sep 29 '17 at 6:17













I tried and I was able to actually place the orders and change their account information

– Kaascroissant
Sep 29 '17 at 8:03





I tried and I was able to actually place the orders and change their account information

– Kaascroissant
Sep 29 '17 at 8:03













As Fabian already mentioned: This can be a cache issue (do you use varnish?) or also a session problem. If the session lifetime is very long a session collission can occur. Apart from this I think you need to update your question with some more technical information to get some good answers and help here.

– Anna Völkl
Sep 29 '17 at 8:14





As Fabian already mentioned: This can be a cache issue (do you use varnish?) or also a session problem. If the session lifetime is very long a session collission can occur. Apart from this I think you need to update your question with some more technical information to get some good answers and help here.

– Anna Völkl
Sep 29 '17 at 8:14













I do not use varnish, the sessions lifetime is a couple of minutes and at most 2 people log in at a time so I don't think it's a session collission. I have updated the question with some information about the version and modules, what other information would be useful to share? I'm not really sure what could cause this so I don't know what might be relevant.

– Kaascroissant
Sep 29 '17 at 8:32





I do not use varnish, the sessions lifetime is a couple of minutes and at most 2 people log in at a time so I don't think it's a session collission. I have updated the question with some information about the version and modules, what other information would be useful to share? I'm not really sure what could cause this so I don't know what might be relevant.

– Kaascroissant
Sep 29 '17 at 8:32










2 Answers
2






active

oldest

votes


















3














I was able to replicate this issue by clicking a link with a "SID" (session ID) in it. If that session ID belonged to another customer and they were logged in, I could see their details.



Because the site I was working on was a single website/store (no multi-website/store) I could stop the issue by changing:



Store > Configuration > General > Web > Session Validation Settings > "Use SID on Storefront" == "No"



You may need to wipe your session store to ensure no customers are still sharing sessions.



I found this related question useful and it contains more info over there:



How to Remove SID (SESSION_ID) from URL in Magento 2






share|improve this answer
























  • You're right, thanks, this seems to be the most likely reason since we were sharing urls

    – Kaascroissant
    Oct 10 '17 at 8:00



















0














please help me for issue , very important
zangane.mostafa71@gmail.con



i help!!!!!!!!






share|improve this answer








New contributor




zangane.mostafa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "479"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f195067%2fsuddenly-started-using-another-logged-in-users-session-magento-2%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    3














    I was able to replicate this issue by clicking a link with a "SID" (session ID) in it. If that session ID belonged to another customer and they were logged in, I could see their details.



    Because the site I was working on was a single website/store (no multi-website/store) I could stop the issue by changing:



    Store > Configuration > General > Web > Session Validation Settings > "Use SID on Storefront" == "No"



    You may need to wipe your session store to ensure no customers are still sharing sessions.



    I found this related question useful and it contains more info over there:



    How to Remove SID (SESSION_ID) from URL in Magento 2






    share|improve this answer
























    • You're right, thanks, this seems to be the most likely reason since we were sharing urls

      – Kaascroissant
      Oct 10 '17 at 8:00
















    3














    I was able to replicate this issue by clicking a link with a "SID" (session ID) in it. If that session ID belonged to another customer and they were logged in, I could see their details.



    Because the site I was working on was a single website/store (no multi-website/store) I could stop the issue by changing:



    Store > Configuration > General > Web > Session Validation Settings > "Use SID on Storefront" == "No"



    You may need to wipe your session store to ensure no customers are still sharing sessions.



    I found this related question useful and it contains more info over there:



    How to Remove SID (SESSION_ID) from URL in Magento 2






    share|improve this answer
























    • You're right, thanks, this seems to be the most likely reason since we were sharing urls

      – Kaascroissant
      Oct 10 '17 at 8:00














    3












    3








    3







    I was able to replicate this issue by clicking a link with a "SID" (session ID) in it. If that session ID belonged to another customer and they were logged in, I could see their details.



    Because the site I was working on was a single website/store (no multi-website/store) I could stop the issue by changing:



    Store > Configuration > General > Web > Session Validation Settings > "Use SID on Storefront" == "No"



    You may need to wipe your session store to ensure no customers are still sharing sessions.



    I found this related question useful and it contains more info over there:



    How to Remove SID (SESSION_ID) from URL in Magento 2






    share|improve this answer













    I was able to replicate this issue by clicking a link with a "SID" (session ID) in it. If that session ID belonged to another customer and they were logged in, I could see their details.



    Because the site I was working on was a single website/store (no multi-website/store) I could stop the issue by changing:



    Store > Configuration > General > Web > Session Validation Settings > "Use SID on Storefront" == "No"



    You may need to wipe your session store to ensure no customers are still sharing sessions.



    I found this related question useful and it contains more info over there:



    How to Remove SID (SESSION_ID) from URL in Magento 2







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Oct 10 '17 at 2:16









    WireblueWireblue

    1445




    1445













    • You're right, thanks, this seems to be the most likely reason since we were sharing urls

      – Kaascroissant
      Oct 10 '17 at 8:00



















    • You're right, thanks, this seems to be the most likely reason since we were sharing urls

      – Kaascroissant
      Oct 10 '17 at 8:00

















    You're right, thanks, this seems to be the most likely reason since we were sharing urls

    – Kaascroissant
    Oct 10 '17 at 8:00





    You're right, thanks, this seems to be the most likely reason since we were sharing urls

    – Kaascroissant
    Oct 10 '17 at 8:00













    0














    please help me for issue , very important
    zangane.mostafa71@gmail.con



    i help!!!!!!!!






    share|improve this answer








    New contributor




    zangane.mostafa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.

























      0














      please help me for issue , very important
      zangane.mostafa71@gmail.con



      i help!!!!!!!!






      share|improve this answer








      New contributor




      zangane.mostafa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.























        0












        0








        0







        please help me for issue , very important
        zangane.mostafa71@gmail.con



        i help!!!!!!!!






        share|improve this answer








        New contributor




        zangane.mostafa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.










        please help me for issue , very important
        zangane.mostafa71@gmail.con



        i help!!!!!!!!







        share|improve this answer








        New contributor




        zangane.mostafa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer






        New contributor




        zangane.mostafa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered 11 mins ago









        zangane.mostafazangane.mostafa

        1




        1




        New contributor




        zangane.mostafa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        zangane.mostafa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        zangane.mostafa is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Magento Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f195067%2fsuddenly-started-using-another-logged-in-users-session-magento-2%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            What other Star Trek series did the main TNG cast show up in?

            Image
            .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0; } 4 I'm referring to Picard, Riker, Data, Worf, Geordi, Dr. Crusher, Wesley Crusher, Chief O'Brien and family, Deanna Troi, Guinan. I know Picard and Worf show up on DS9, though I haven't seen it myself. I'm curious what happened to the characters after that last episode of TNG? star-trek star-trek-tng share | improve this question edited 10 hours ago Ham Sandwich 6,051 2 25 75
            Read more

            Berlina muro

            Image
            La berlina muro ĉe Bethaniendamm, 1986 La berlina muro aŭ simple la muro [1] , nomita ankaŭ "kontraŭfaŝisma remparo" en propaganda lingvo de la iama Germana Demokratia Respubliko, estis parto de la interngermana limo, kiu dividis de la 13-a de aŭgusto 1961 ĝis la 9-a de novembro 1989 okcidentan Berlinon de la orienta parto de la urbo kaj de la ĉirkaŭa tereno de la GDR. Ĝi estis unu el la plej famaj simboloj de la malvarma milito kaj de la disdivido de Germanio. Pli ol simpla muro, la berlina muro estis fakte tuta defendokonstruaĵo kun du muroj, ena malplena strio, rondirvojo, gardturoj kaj alarmsistemoj. Dum la provo transiri la severe garditan limon al okcidenta Berlino multaj homoj estis mortigitaj. La preciza nombro de viktimoj estas pridisputita kaj ne certa; la nombroj anoncataj varias inter 86 kaj 238 mortintoj. La malplifortiĝo de Sovetunio kaj la politiko de liberigo gvidita de Miĥail Gorbaĉov ebligis al la orientgermanoj faligi la 9-an de novembro 1989 l
            Read more

            Berlina aerponto

            Image
            Flugkoridoroj dum la blokado de Berlino La Berlina aerponto estas la provizigo de okcidenta Berlino per aviadiloj fare de la aliancanoj inter la 23-a de junio 1948 kaj la 12-a de majo 1949 dum la blokado de Berlino fare de la sovetia armeo. Enhavo 1 Historio 1.1 La aerkoridoroj 1.2 Unuaj flugoj 1.3 Plibonigo de la aerponto 1.4 Fino de la aerponto 1.5 Rozinbombiloj 1.6 Bilanco 2 Flughavenoj 2.1 Berlino 2.2 Okcidenta Germanio 3 Aviadiloj de la berlina aerponto 4 15-a datreveno de la aerponto 5 Bibliografio 6 Referencoj 7 Eksteraj ligiloj Historio | General Lucius D. Clay, militguberniestro de la usona okupadzono Jam antaŭ la berlina aerponto estiĝis la malgranda aerponto . La estro de la sovetia militadministracio en Germanio, Vasili Daniloviĉ Sokolovski, ordonis la 1-an de aprilo 1948, kiel reago al la konferenco de Londono inter britoj, francoj kaj reprezentantoj de Benelukso pri aligo de Germa
            Read more