I set up a website on MIVA for a client who uses Safari, primarily. She tells me that she will frequently go to her website and the website will tell her that she is already logged in -- as someone else.

Let me elaborate...

She has not logged in at all. She turns on the computer. She opens Safari. She goes to her website, and the website says "Welcome, John Smith", who is one of her customers in another state, who has never used or been logged on to this computer before, although he does have an account on her MIVA website.

If cookies are used to auto-login users, how is this possible?

Has anyone else ever experienced this?

Does anyone have any suggestions?

Thanks in advance!

Sounds like some link in the site has a fixed session id tied to it. Usually a result of copying the source of a merchant page. There might be other reasons, but its hard to say without a link to the store.

Yup, I'd have to agree with Bruce - sounds like a hard coded Session ID. And yes, you need to post a URL if you'd like help figuring it out.

The URL is:

http://www.kiscodental.com

...and I poked around a little and am not finding anything like a hard-coded link with a session ID in it.

BUT...

If someone were to log in and then save the link to their Favorites, and then get to it that way, would that cause the problem?

If so, how do we make this site more secure?

Thanks again!

The client should click the book symbol in Safari at the top just under the 2 arrows. This opens the bookmarks file.

Navigate to the bookmark and look to see if it has a session id. If it does, then delete the session id.

Click the book symbol again to close the bookmark file.

...but if someone else were to save the URL with their own session id in it, and then go to that bookmark the next day, would they then be logged in as someone else?

Isn't this extremely dangerous?

That appears to be what's happening.

There is an SEO module that strips the session ID from the URLs. This is highly recommended anyway since Google doesn't like session IDs. I can't recall which module offhand but I think there's a couple of them that'll do this.

You might search these forums for a start.

This doesn't address the other issue of someone manually nserting a session ID into a URL for mailicious purposes. Your store is not at risk and this should actually cause very little problem for customer accounts without passwords and credit card info.

OK, I think I got it fixed. I checked the checkbox in the admin area...

Domain Settings > Timeouts > Verify IP Addresses

This supposedly will validate the session id with the IP address that created it, and reject any login that doesn't match.

Should work.

Thanks for all your help!