[ic] Session auto-populated with another users data

[Aaron Berg]

> >> I've run into an issue with session creation.  A member of our staff
> >> was testing one of our IC sites and she had a customers data
> >> automatically pulled into her session.  She clears her cache and
> >> cookies daily.  The steps she followed are:
> >>
<snip>
> >
> > Does she log into the Interchange admin? Edit orders or
> > customer data? The
> > default Interchange admin uses the same session that the
> > storefront does,
> > so information can leak that way for an admin user. (Customers would
> > never see this.)
> >
> > You said above that "She clears her cache and cookies daily",
> > but only
> > daily gives plenty of time for session info leakage to happen.
> >
> > One way to narrow down the problem would be to have her use
> > an entirely
> > separate browser when using the admin vs. the customer-facing
> > store. That
> > is, use Firefox vs. Safari vs. IE, not just a separate window or tab.
> >
> > Jon
>
> I find this happens VERY frequently when simply using another tab (at least
> within IE). I've only seen this within a new browser instance when still logged
> into the admin. Of course, different browsers would not produce this.
>
> So, I guess I am just agreeing with Jon :-)
>
> Paul Jordan
>
> Gish Network
>   For Print, Web and Life
>   paul at gishnetwork.com
>

Thanks for the replies Paul and Jon.  Multiple tabs in Firefox causes
the same problem for sure.  I checked at the time, and she hadn't been
doing that.

I'll dig into the logs again and see if I missed anything.  If anyone
has any ideas or pointers it would be much appreciated.