[ic] Session auto-populated with another users data

Jon Jensen jon at endpoint.com
Thu Nov 8 20:13:59 EST 2007

On Thu, 8 Nov 2007, Aaron Berg wrote:

> I've run into an issue with session creation.  A member of our staff
> was testing one of our IC sites and she had a customers data
> automatically pulled into her session.  She clears her cache and
> cookies daily.  The steps she followed are:
> Open browser
> Go to site
> Add an item to the cart
> Check out
> Choose country
> Then on the 'Shipping Address' page she was presented with the details
> of another user.  She had not view this site in quite some time and
> had not logged into the admin.  Closing the browser and repeating the
> steps presented her correctly with an empty 'Shipping Address' form.
> Hopefully this is not an issue with Interchange, but I'm not seeing
> how the browser could have caused this to happen as there were no
> saved cookies or cached data.
> Does anyone have any ideas on how I can fully isolate the cause of this?

Does she log into the Interchange admin? Edit orders or customer data? The 
default Interchange admin uses the same session that the storefront does, 
so information can leak that way for an admin user. (Customers would never 
see this.)

You said above that "She clears her cache and cookies daily", but only 
daily gives plenty of time for session info leakage to happen.

One way to narrow down the problem would be to have her use an entirely 
separate browser when using the admin vs. the customer-facing store. That 
is, use Firefox vs. Safari vs. IE, not just a separate window or tab.


Jon Jensen
End Point Corporation

More information about the interchange-users mailing list