Magento - Customers able to see other customer's login personal data and orders incorrectly assigned to that customer

[manucorra]

We are using Nexcessnet_Turpentine 0.7.2 in our Magento ver. 1.13.1.0. We have 2 stores and sharing the cart. The session id is showing in the frontend url and thus it is passing to 2nd store via url.

We have had a few issues with customers seeing other customers personal information (name, address, history) at checkout and then having their order assigned to that customer. This issue is an intermittent issue and we feel this issue caused by getting the wrong session id through url because the pages are cached using varnish.

Please check this issue and let us know how to fix this. Please let us know if changing the following configuration in magento admin helps to fix this issue.

Admin side -> General -> Web -> Session validation settings Validate REMOTE_ADDR = Yes (Now it is 'No') Validate HTTP_USER_AGENT = Yes (Now it is 'No')

Thanks, Manu

[miguelbalparda]

What have you tried so far to debug this? It seems this might be related to the incorrect use of public and private, check the access node here.

[manucorra]

Hi Miguel, Thanks for the reply. We checked the access node in turpentine_esi.xml. Only the footer block is public. All other blocks having access node as private.

    <reference name="footer">
        <action method="setEsiOptions">
            <params>
                <!-- this is the default but we specifically set it so
                it actually gets picked up -->
                <access>public</access>
            </params>
        </action>
    </reference>

Thanks, Manu

[arosenhagen]

tip: be aware of the setting turpentine_vcl/backend/crawlers:

Note - if you are using something like Pound to terminate SSL before Varnish, setting this to the same IP could cause users to end up sharing the crawler session.

if you're using termination on the same machine and this setting is set to e.g. 127.0.0.1 you might end up with exactly the issue you encountered.

[manucorra]

Hi Achim Rosenhagen,

The Crawler IP Addresses and Crawler User Agents is set the default values: Crawler IP Addresses - '127.0.0.1' Crawler User Agents - ApacheBench/.,.Googlebot.,JoeDog/.Siege.,magespeedtest.com,Nexcessnet_Turpentine/.

Do we need to change this to fix this issue of incorrect assigning of session ids.

Thanks, Manu

[arosenhagen]

yes - the default setting is '127.0.0.1' which will lead to shared sessions if you use ssl-termination (on the same machine). Crawler IP Addresses should be empty.

[manucorra]

We are not using Pound for SSL termination. SSL is terminated on nginx webserver itself. We will remove the values for Crawler IP Addresses from admin side. Any other settings or code do we need to check for this issue.

Thanks, Manu

[arosenhagen]

it doesn't matter if its pound or nginx (I also use nginx). if you do ANY ssl termination, you should'nt assign '127.0.0.1' as crawler ip address. hope it solves your problem :-)

[manucorra]

Thanks Achim Rosenhagen.

We will empty the values for below 2 settings:

1. Crawler IP Addresses
2. Crawler User Agents

[manucorra]

Hi,

We found the root cause for these issues. We found that the 'frontend' cookie sometime not changing the value when we are passing session id (SID) through url. We tried to change the value through customization and that too is not working. Also creating a new cookie is not working with varnish is enabled. Can you please let us know if there is any fix available to update the 'frontend' cookie value when new session id is passing through url.

The issue is mainly happening when user is logged in the 2nd store. This time the session id is getting renewed. But when the new session id is passing to 1st store through url it is not getting set.

http://www.swimstyle.com

Thanks, Manu

[miguelbalparda]

There are a couple of SID related configs in Turpentine's admin and SID is also included by default in some admin fields too, have you checked that?

[manucorra]

We had added 'SID' in 'URL Blacklist' blacklist and 'GET Parameters' field from admin side.

We found that the SID is url is not getting set to 'frontend' cookie. It is retaining the old value. We tried to delete this cookie using magento code. But is not getting deleted. Also we are not able to create a new cookie using magento code when turpentine is ON.

We checked below function and found that the Turpentine is setting with old SID to 'frontend' cookie from the line no - 26 in app/code/community/Nexcessnet/Turpentine/Model/Core/Session.php

Mage::getModel('core/cookie')->set();

Can you please let us know if we need to add something to vcl file.

Thanks, Manu

[miguelbalparda]

Have you tried using JS in the frontend instead of PHP for the cookie changes?

[manucorra]

No, we did not tried.

Since javascript will load only after page load and the cart is handing using session in php before page load, we are not sure that javascript will work. Please advice.

[miguelbalparda]

PHP in the best scenario will never do anything since all you see will be cached and served by Varnish. What you might be able to do is to use JS in the frontend and avoid the cache in certain cases.

[paugnu]

Hi, @manucorra , did you manage to solve the issue? I'm experiencing exactly the same issue and none of the «pseudo-solutions» proposed here worked for me :(

[Jilco]

@manucorra, Same here, what was the sollution?