[ic] security

Mike Heins mikeh@minivend.com
Fri, 26 Jan 2001 00:09:48 -0500

Quoting cfm@maine.com (cfm@maine.com):
> On Thu, Jan 25, 2001 at 09:15:39PM -0700, John Beima wrote:
> > It appears if MiniVend is not able to create an account in the UserDB, my guess 
> > would be there are two orders going through at the same time trying to 
> > auto-create the same account name, since it is an incrementing number, the 
> > second one fails, and instead of an error generating, recieves the user info 
> > from the last logged in client, or the other user creation that it collided 
> > with.
> We've had the same issue with order numbers recently.  Multiple users
> getting the same order number because the order counter did not update.
> It was pathological, it had to be our fault, but it should have been 
> caught (mv4.03).
> Failure to successfully update a counter should fail the 
> transaction, even kill the catalog.
> We're going to <ahem>solve</ahem> it by using unique enterprise 
> keys/counter for order numbers.  And we are setting up our catalogs
> to die on non-unique order numbers.  No doubt it will work just 
> fine when everything is working.   Minivend needs a way to 
> sequence order numbers independantly for multiple instances of
> the same catalog on independant machines, some of which may go
> offline but still take orders.  (eg POS/callcenter on localnet)
> The vanilla OrderCounter++ is not enough.
> It's getting to the point where the machine issuing unique numbers is
> more mission critical than our kerberos server.  yeesh.

In recent Interchange (and maybe Minivend 4) all you have to do is

		$Session->{mv_order_number} = your_unique_number();

It will bypass OrderCounter at that point, and use yours. Then it
is on your head. 8-)

Akopia, Inc., 131 Willow Lane, Floor 2, Oxford, OH  45056
phone +1.513.523.7621 fax 7501 <heins@akopia.com>

Nature, to be commanded, must be obeyed. -- Francis Bacon