Security issues with no cache enabled - Customer seeing other customers data

Started by lindapowers, December 14, 2013, 13:27:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

lindapowers

December 14, 2013, 13:27:21 PM Last Edit: December 14, 2013, 13:31:54 PM by lindapowers
Hello

Some times we have been reported that a logged in customer at "VM account" was seeing the details of another customer. Don't know how this is posible but is scary.

This happened in 2.024C and some previous versions.

When customers call us that they forgot their password and we create a new one manually dont know if is posible that we had created the same for a few customers and exact passwords could cause an issue.

Anyway just to let you know.

We use this http://extensions.joomla.org/extensions/access-a-security/site-access/authentication-switch/12851 to manage customer orders and therefore we log in their account, (phone or mail orders) in case that could conflict.

-------------------------
Also when a customer adds a new address from "my account" add/edit new address the details of the previous one entered appears prefilled.


We dont use any caché at joomla so don't know if this could cause some issues.


Regards

Peter Pillen

#1
December 14, 2013, 13:47:45 PM
Are you really sure there is no cache enabled? Because this sounds like a pure cache issue.

You can check in the folder /cache/ if there are any cache files being created (or still stored) in a virtuemart folder.

lindapowers

#2
December 14, 2013, 15:11:47 PM
Hi

Caché is turned off in global config, however I checked the folder as you said and this is what I found:

This same folders appear when from the backend I click "clear cache" so how is this appearing? Any other place im supposed to turn off cache?



Regards

Peter Pillen

#3
December 14, 2013, 15:17:41 PM
Those cache files are the cause imo. The fact that files are in that folder, means something is enabled.

And is the joomla cache plugin also disabled? Because you always have two of them. One in the global config and one in the extensions mananger > plugins > joomla cache plugin.

And beware ... some templates have their own cache system so look in your template if you find any reference to a cache.

lindapowers

#4
December 14, 2013, 16:57:09 PM
Hi

Yes the plugin is also disabled so maybe I'll ask the template guys cause I can't find any reference to cache in their files.

Anyway, even if we had cache on is a strange behaviour this no?

Regards

Peter Pillen

#5
December 14, 2013, 17:05:22 PM
It is a strange behaviour, but the cause is not always clear. I have two webshops and in the first one, caching gives me the same problems as you and in the second site, caching is no problem. I don't know where the difference is, but somehow the second site excludes cart views from being cached... and that's the correct way to do it.

lindapowers

#6
December 14, 2013, 17:29:03 PM Last Edit: December 14, 2013, 17:32:00 PM by lindapowers
Quote from: P2 Peter on December 14, 2013, 17:05:22 PM
It is a strange behaviour, but the cause is not always clear. I have two webshops and in the first one, caching gives me the same problems as you and in the second site, caching is no problem. I don't know where the difference is, but somehow the second site excludes cart views from being cached... and that's the correct way to do it.

This made me remember something.

Stan from OPC told me:

" i see, you are running nginx which doesn't take into account the no-cache for onepage.js that might have caused the issues here"


"there are many types of caches in this matter. the cache that i am speaking about is set by nginx on static files such as javascripts or css. They are set by nginx to 1 month by default and there is no way you can change this without changint the actual configuration of the server so it would be better if it was completely under control of the backend system (php)"

We had cache issues with OPC when installing new versions, however this was more related to the browser cache of customers remaining in previous versions and therefore not getting shipping costs to load, so Stan added a new option that we need to use due to our "no cache" setting.


-------------------------------
Anyway this in theory is only for onepage and maybe it has nothing to do with the cache we are speaking here about.

Or maybe a server issue due to being nginx (which I have no clue what is btw)

-------------------------------

We had cache issue with our template in the past too, actually the fact that we use "no cache" is mainly cause our responsive template view gets messed up with the desktop view if cache is enabled.

Regards

Milbo

#7
December 15, 2013, 12:30:58 PM
You can run vm2.0.24C and higher with caching enabled. In your case it is quite clear the caching done by your OPC (com_onepage), or your server cache.

The folders com_virtuemart_cats and com_virtuemart_rss are always there, even if you disable cache for joomla.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/
Print
Go Up Pages1
User actions