the_lyall Posted February 4, 2016 Share Posted February 4, 2016 I work in a business with several hundred computer terminals, and they all connect to the internet through a central firewall with a single externally facing IP address. The problem I have is that if someone logs into my website within the network, if anyone else visits the site within the network they are automatically logged in as the other person! They can see order history, loyalty points, everything. If one of the people then logs out of my website, then everyone is logged out. It is the same with any customer account as I have tested it. And to be clear, I was testing using terminals that had never previously visited my website at all by any customer. Please can someone urgently advise how to fix this security issue? I would think that security would be linked to session or cookies rather than IP address?? I use Prestashop 1.6.1.0 and I'd like to avoid upgrading (as I've modified a lot of the core template files, nothing to do with registration, logging in or security though). Thanks Link to comment Share on other sites More sharing options...
bellini13 Posted February 4, 2016 Share Posted February 4, 2016 It sounds like your business network is configured like any standard household network would be. An internet provider supplies you with a modem/router that is assigned a single IP address. Every other device on the internal network is then proxied through that device. So any services on the internet would all receive the same IP address, no matter which device is being used. So I think you need to better explain how your business network is configured to determine how it is acting differently. Furthermore, Prestashop session context is cookie based, and optionally IP aware. There is a setting in the back office Preferences page to enable / disable the IP check. I don't know if this will have any effect on your business network, but I would not suggest to disable this option, since it would also have an impact to all the other visitors to your site. Link to comment Share on other sites More sharing options...
the_lyall Posted February 5, 2016 Author Share Posted February 5, 2016 I think the problem is more fundamental than specific to the setup where I work. When I visit the website from a home address (my girlfriend's house for example) I do not want to be automatically logged in and be able to see their orders, even using a device that has never been in the building before. I find it strange that the website treats the building (IP) as a single customer and assumes there is only one customer per household? Link to comment Share on other sites More sharing options...
bellini13 Posted February 5, 2016 Share Posted February 5, 2016 (edited) I think the problem is more fundamental than specific to the setup where I work. When I visit the website from a home address (my girlfriend's house for example) I do not want to be automatically logged in and be able to see their orders, even using a device that has never been in the building before. I find it strange that the website treats the building (IP) as a single customer and assumes there is only one customer per household? I never said Prestashop only looks at the IP address. There is a session cookie that will be placed on the device browser, and that session cookie will exist for a duration of time before you have to logon again. I have multiple devices in my home and business, and they will all "share" an external IP address. None of those devices share the same cookie session and I do NOT have the issue you are stating. So again, you have to look at what your business network is doing that is forcing Prestashop to believe you are all the same session. And if you go to your girlfriends house and use their devices browser, you will be logged in as them. If you go to your girlfriends house and use your device, you will be logged in as you, or if IP check is enabled, you will have to log in again. Now perhaps there is a defect in the version of Prestashop you have, or perhaps a module or some change that has been introduced. However I do not believe this is the case. So I would suggest you try a few things 1) Test if this issue only occurs in your business, or does it also occur on other networks 2) Install a newer version of Prestashop on your server in a subfolder, and see if the issue also occurs there 3) Educate yourself on what your business network is doing. Its entirely possible that there is some reverse proxy software being used, which is creating this issue, and that you might have to adjust Prestashop to suit your needs. Edited February 5, 2016 by bellini13 (see edit history) Link to comment Share on other sites More sharing options...
the_lyall Posted February 5, 2016 Author Share Posted February 5, 2016 Thanks for the advice - I'll do some more testing and see what I can find out. Link to comment Share on other sites More sharing options...
.png.022b5452a8f28f552bc9430097a16da2.png)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now