cubecart v6 Checkout Issue?

[Wairds]

I am posting this as I wonder if anybody else has encountered this issue.

I have received an email today from a customer purchasing from my shop. I will quote his email:  “ Hi, I have just tried to order a Passport cover,  however when I went to pay the basket auto updated to a Kindle cover for some gentleman in England!”

About the same time this event took place I received an order for a Kindle cover from somebody in England.

Regards.

[bsmither]

We have had some reports of one visitor/customer seeming to 'latch onto' the "session" of a second visitor/customer.

Personally, I do not know if this has been reliably replicated, or even a fix has been attempted.

By its very nature, such an event is extraordinarily rare, and working through the evidence, of whatever form it may take wherever it may be, is problematic.

A "session" is based on a cookie. That cookie gets tied to a session identifier maintained by PHP. The session identifier is a file in PHP's session folder (usually /tmp) and holds, among other things, the current shopping basket. The installation of PHP can be enhanced to have a longer length session identifier.

However, the CubeCart database may not have the necessary length in the CubeCart_sessions table, 'session_id' column (currently at 32 characters). It is one of my theories that the databased, truncated session identifier may be involved. But that is not very likely as the identifiers would not completely match, resulting in nothing seeming to be retained.

Another theory was analyzed and a hopeful fix for it was implemented a few versions back.

Please check to see if the customer_id's of the first and second customers involved are very close together.

What version of CubeCart are you using?

[Wairds]

Thanks for responding.

My understanding from what you are saying is the session identifier, when truncated, no longer becomes unique. Hence the issue.

I regret I cannot locate the customer id's. However I note the first customer registered at 12:06 and the second at 12:08. I am running version 6.1.13.

Regards

[bsmither]

We can assume the customer_id's are close together, although their "closeness" would be the indicator I would use to gauge if one of the theories would have be worth exploring. That theory was worked on many versions ago: https://github.com/cubecart/v6/issues/789

In admin, PHP Info, Apache Environment table, how many characters make up the value of the HTTP_COOKIE (the part after the equal sign)?

 

[Wairds]

Difficult to count but I believe after __atuvc= there are circa 146 characters.

Regarding GitHub 789 to ensure uniqueness and an incremental value would it not be possible to include date and time up to thousands of a second? If it is possible to obtain those values?

[bsmither]

Oops, I meant just the cookie with the key that starts with CC. Such as:

CC_265520000B=os5p5orc3c0respvvcjbpfu9r4

How many characters is the bold value?

[Wairds]

26 characters excluding the semi-colon at the end of the string.

[bsmither]

Semi-colon? I'm thinking that's a strange one, but it's not too long. Which is what I was wanting to check.