28 points
Community rank #2180
dnoguero
VeteranJust Getting Started
MemberLikes (0)
It seems that address information is being stored in a cookie which isn't cleared when the user logs out.
Here's how to reproduce it:
1. Log in as user A and run through the checkout process up until the final confirmation page.
2. Log out as user A.
3. Log in as user B, add an item to the cart then click the checkout button. The shipping information form is pre-populated with user A's information rather than user B's.
This seems like a pretty nasty security issue especially for those using public computers to use the store.
8459 pointsCommunity rank #4Supreme DeityWPMU DEV StaffLifetime member
Lead Developer
(joined May 2009)
Likes (0)
Shipping details are not stored in a cookie, but in a browser session. It's not tied to the login at all. Physically closing the browser window clears a session. This is normal behavior for sites and why you are always supposed to close browsers on public computers. Note that sessions also expire after a short time period, usually 30 mins depending on your php settings.
28 pointsCommunity rank #2180VeteranJust Getting Started
Member
(joined October 2011)
Likes (0)
Is there a way to hook into the WP logout action to destroy the session that Marketpress is creating? I've never heard of a browser session persisting across user logins before...
8459 pointsCommunity rank #4Supreme DeityWPMU DEV StaffLifetime member
Lead Developer
(joined May 2009)
Likes (0)
The question is should shipping info just be destroyed from session on successful checkout? That would mean if they abandon the cart it will still be there temporarily.
I think that really your confusion is that logging in is in any way related to checkout. MarketPress allows for non logged in checkouts so it has to save state in a temporary session. It's standard practice to use closing the browser window on a public computer for this reason. I guess I could add a session destroy hook to logging out.
Responses (8)
WPMU DEV Fanatic (joined October 2009) Likes (0)
Hi dnoguero,
I see what you mean. Let me flag the developer to have a look at this.
Thanks,
David
Lead Developer (joined May 2009) Likes (0)
Shipping details are not stored in a cookie, but in a browser session. It's not tied to the login at all. Physically closing the browser window clears a session. This is normal behavior for sites and why you are always supposed to close browsers on public computers. Note that sessions also expire after a short time period, usually 30 mins depending on your php settings.
Member (joined October 2011) Likes (0)
Shouldn't the Wordpress logout destroy the browser session?
Lead Developer (joined May 2009) Likes (0)
No, it doesn't as WP doesn't use sessions. They create their own handler.
Member (joined October 2011) Likes (0)
Is there a way to hook into the WP logout action to destroy the session that Marketpress is creating? I've never heard of a browser session persisting across user logins before...
Lead Developer (joined May 2009) Likes (0)
The question is should shipping info just be destroyed from session on successful checkout? That would mean if they abandon the cart it will still be there temporarily.
I think that really your confusion is that logging in is in any way related to checkout. MarketPress allows for non logged in checkouts so it has to save state in a temporary session. It's standard practice to use closing the browser window on a public computer for this reason. I guess I could add a session destroy hook to logging out.
Lead Developer (joined May 2009) Likes (0)
Ok, i'm just going to hook into logout to clear that info. Look for it in 2.4.1
Member (joined October 2011) Likes (0)
Hi Aaron,
I see your point about non logged-in checkouts. I guess the session destruction may only make sense if the "require logins" option is enabled.
Thanks for looking into it and making the change!
Become a member