Two Customers, One Billing Address - The osCommerce is a Mother Series

Two Customers, One Billing Address - The osCommerce is a Mother Series

This is an issue with osCommerce, one that I have run into two or three times. It is possible for two customers to somehow get the same session id and whichever customer checks out last will be greeted with the other customer's details at the checkout. This is a big security issue, but not one that could really be exploited on purpose.

This is only one issue in a long line of issues in osCommerce. I am not bitching. I guess it is hard to update the way software works once a lot of people are using it. But osCommerce is a mother. Want to edit the privacy policy? Go three folders down into the English folder. Want to add something on? It doesn't work like Wordpress. You have to hand edit all the files and then hunt down the bugs you created by missing a semicolon. 

Yesterday, I spent a long time hunting through the osCommerce forums trying to find a solution to the problem of two customers and one credit card. But even the developers there didn't quite know the cause. Some say it is because a session id gets hard coded into a link. Some say that if two people get a session id at the same time, they will receive the same one. I didn't really care what caused it. I wanted it fixed.

Now this issue will not happen if you use cookies exclusively, but then you have to force your customers to take your cookies if they want to buy anything. The other option is to allow Apache to assign the session id and then dynamically add that to each link on the page the customer is browsing, which is used quite often because some people just won't allow you to set cookies in their browser.

The solution, I found, after reading everything possible, is to use the new version of the session regeneration contribution.

osCommerce comes with a session regeneration function but all this does is make sure that when someone signs up for an account, their guest shopping cart follows them to their new account. The updated version of the session regeneration function assigns a new session id whenever the customer either logs in or signs up for an account. This gives one last chance to fix the customer details switcheroo.

Stephan Miller

Written by

Kansas City Software Engineer and Author

Twitter | Github | LinkedIn