MarketPress: Order Status security

It seems as if the order status page seems to have no security. If you know the order number, you can see all the details, even if you are not logged in.

Shouldn't the page at least check to make sure you are logged in, and that order belongs to you before displaying the info? If not, I would definitely put this on the to-do list for future versions.

  • Patrick
    • Support Monkey

    Hiya @Spectrum

    The only way for someone to actually know the 12-digit order number is via the order confirmation email which is only sent to the buyer and the site admin.

    It is presumed that only those individuals will have that info, so a logged-in check becomes redundant.

    Is there any other reason you think this should be more secure?

  • Vaughan
    • Support/SLS MockingJay

    hiya

    I have checked this on my site, but it seems like that is intended behaviour.

    when you confirm payment, you are provided a link to track your order, this is also provided in the email which is sent.

    this is part of the system because you do not actually have to be a member to use the store.

    the number at the end 2cf50ee5847b is a random generated key unique to that order, whilst it may be possible to randomly generate a number yourself & eventually could possibly stumble upon someone elses order, I don't think it's a high security issue.

    though maybe a longer randomly generated hash may make it more difficult to do.

    hope this helps.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.