Security issue with Marketpress

It seems that address information is being stored in a cookie which isn't cleared when the user logs out.

Here's how to reproduce it:

1. Log in as user A and run through the checkout process up until the final confirmation page.
2. Log out as user A.
3. Log in as user B, add an item to the cart then click the checkout button. The shipping information form is pre-populated with user A's information rather than user B's.

This seems like a pretty nasty security issue especially for those using public computers to use the store.


    Shipping details are not stored in a cookie, but in a browser session. It's not tied to the login at all. Physically closing the browser window clears a session. This is normal behavior for sites and why you are always supposed to close browsers on public computers. Note that sessions also expire after a short time period, usually 30 mins depending on your php settings.


    Is there a way to hook into the WP logout action to destroy the session that Marketpress is creating? I've never heard of a browser session persisting across user logins before...


    The question is should shipping info just be destroyed from session on successful checkout? That would mean if they abandon the cart it will still be there temporarily.

    I think that really your confusion is that logging in is in any way related to checkout. MarketPress allows for non logged in checkouts so it has to save state in a temporary session. It's standard practice to use closing the browser window on a public computer for this reason. I guess I could add a session destroy hook to logging out.


    Hi Aaron,

    I see your point about non logged-in checkouts. I guess the session destruction may only make sense if the "require logins" option is enabled.

    Thanks for looking into it and making the change!


We pride ourselves on our level of customer support and responsiveness to member requests. Your WordPress experience will never be the same

Start free trial