[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

WideOpen can cause problems!

To: minivend-users@minivend.com
Subject: WideOpen can cause problems!
From: Kyle Cook <kyle@invisio.com>
Date: Fri, 13 Aug 1999 17:08:27 -0500
In-Reply-To: <004701bee5ae$afbb23e0$a02fe9cc@r1k8f3>

WideOpen, it can cause problems!

Specifically, I have a shop that is running WideOpen
because that was the only way I could prevent
the cart contents from being dropped when switching
to the secure checkout page (which is a different domain)

One problem that can arise is if a link like:

http://www.myserver.com/cgi-bin/page?abcdefgh;;567

is spidered by a search engine or placed on a static page
somewhere, then people who use that link will be placed 
in the same cart with the potential of seeing the previous
customers information. And if that link is heavily used, even
a short expiration time won't help!

I tried switching to using the following with no WideOpen set
even though the cart still occasionally drops.

DomainTail No
IpHead Yes
IpQuad 0

But EVEN WITH these settings, I am able to see someone
elses info if I use a link that includes the cart id!
(by looking in the error log for an order placed by an unknown
party and using the id code in the url, so I was definitely
not using the same ip or host!)

So what is the difference between WideOpen and the above config?

In the mean time I have set session expire to 1 hour,  even
so, I have one link out there that gets hit several 
times an hour!

Until I/we find a way to deal with this, I have set up the following
short code to deal with specific cart ids from known problem
referers (links that contain a cart id)

#place the following on the very top of any page
#that may be referred by a rogue link and
#substitute the RbeKPaMn with whatever id
#is being passed

[if session id eq 'RbeKPaMn']
[bad_id]
[/if]

#place the following in catalog.cfg file
# I think allowglobal has to be set in minivend.cfg also

UserTag bad_id Routine <<EOR
sub {
	&Vend::Session::new_session();
	return '';
}
EOR


This will force a new cart id to be assigned to the user of
the bad link.


Anyone else have a similar problem or better yet fix?

I am going to look into hacking minivend so that if it sees a
link into the cart from an outside source (not VendURL or 
SecureURL) and that link contains a cart id, then it will 
automatically assign a new cart id before the first page is built.  

Any input on this plan of attack would also be appreciated!

Thanks All,
Kyle Cook

http://www.invisio.com 
Web site design, database driven sites,
and shopping cart programming. 
Great sites, value priced!

Follow-Ups:
- Re: WideOpen can cause problems!
  - From: mikeh@minivend.com

References:
- annoying repetitive minimate/security question
  - From: "NATHANIEL DAIGER" <nate@daiger.com>

Prev by Date: Securing/Excluding userdb from MiniMate????
Next by Date: Re: Minivend and PaymentNet
Prev by thread: annoying repetitive minimate/security question
Next by thread: Re: WideOpen can cause problems!
Index(es):
- Date
- Thread