Security issue with Marketpress

It seems that address information is being stored in a cookie which isn't cleared when the user logs out.

Here's how to reproduce it:

1. Log in as user A and run through the checkout process up until the final confirmation page.
2. Log out as user A.
3. Log in as user B, add an item to the cart then click the checkout button. The shipping information form is pre-populated with user A's information rather than user B's.

This seems like a pretty nasty security issue especially for those using public computers to use the store.

    DavidM

    Hi dnoguero,

    I see what you mean. Let me flag the developer to have a look at this.

    Thanks,
    David

    Aaron

    Shipping details are not stored in a cookie, but in a browser session. It's not tied to the login at all. Physically closing the browser window clears a session. This is normal behavior for sites and why you are always supposed to close browsers on public computers. Note that sessions also expire after a short time period, usually 30 mins depending on your php settings.

    dnoguero
    • 28
    • #4,700

    Shouldn't the Wordpress logout destroy the browser session?

    Aaron

    No, it doesn't as WP doesn't use sessions. They create their own handler.

    dnoguero
    • 28
    • #4,700

    Is there a way to hook into the WP logout action to destroy the session that Marketpress is creating? I've never heard of a browser session persisting across user logins before...

    Aaron

    The question is should shipping info just be destroyed from session on successful checkout? That would mean if they abandon the cart it will still be there temporarily.

    I think that really your confusion is that logging in is in any way related to checkout. MarketPress allows for non logged in checkouts so it has to save state in a temporary session. It's standard practice to use closing the browser window on a public computer for this reason. I guess I could add a session destroy hook to logging out.

    Aaron

    Ok, i'm just going to hook into logout to clear that info. Look for it in 2.4.1

    dnoguero
    • 28
    • #4,700

    Hi Aaron,

    I see your point about non logged-in checkouts. I guess the session destruction may only make sense if the "require logins" option is enabled.

    Thanks for looking into it and making the change!

Join 378266 happy members

Get access to our entire collection of epic plugins, astonishing themes & genius support

Become a member