Session Cookie shows custom user field information after logout

  • Posts: 97
  • Thank you received: 7
  • Hikashop Business
1 day 11 hours ago #367721

-- HikaShop version -- : 5.1.6
-- Joomla version -- : 5.3.1
-- PHP version -- : 8.2.28
-- Browser(s) name and version -- : Firefox 140.0.2
-- Error-message(debug-mod must be tuned on) -- : None

Afternoon,

Maybe it’s one of my time wasting questions, but could someone verify if they have the same result with version 5.1.6 or higher and custom fields on the customer registration page and registration set to Registration + Guest in the back end.

Login to the shop with an current account
Order an item
Proceed to checkout
Proceed to (at least) the shipping information step
Logout

Go to the Registration page

In my case all the Custom field information related to the previous logged out customer is showing, so name address etc.

If I turn Joomla Debug System on and look at request on the registration page it shows “hikashop_already_loaded" => array:2” and the complete "hikashop_billing_address_data" and "hikashop_shipping_address_data".

As soon as I clear the session cookie the information is cleared as is the current order from the shopping cart (expected).

If I look at an older 4.2.2 version of Hikashop the link between the session cookie and the custom field information is cleared on logout, so that is working as expected.

Not sure if this is a security risk, or just me doing something wrong, since it is bound to the current session, but if the session cookie is intercepted it will be.

Please Log in or Create an account to join the conversation.

  • Posts: 84037
  • Thank you received: 13618
  • MODERATOR
1 day 5 hours ago #367727

Hi,

HikaShop does not and never did clear any data it adds to the user session.
The data in the user session automatically clears when the user session expires and Joomla deletes it.

You're saying that you looked at an older version of HikaShop and the behavior was different regarding the clearing of user session data during the logout. However, since HikaShop is not involved there, I suppose that on the website with that older version of HikaShop, you're using an older version of Joomla. And thus, it's probably the behavior of Joomla which changed on that end t some point.

I searched a bit online about this change of behavior but I couldn't find anything conclusive.

Regarding a security issue I don't think it changes anything.
If the user session can be compromised by an attacker when the user is logged out after being logged in, then I don't see a reason why that same attacker couldn't compromise the user session while the user is still logged in.
Also, getting the user session cookie is not easy nowadays. Now, all the websites implement SSL (HTTPS). And thus, the data being transferred between the browser and the server is encrypted from end to end, and this includes the user session cookie.
A man in the middle attack on the connection between the browser and the server doesn't seem realistic unless you're the NSA, and even then, it must not be easy for them, if possible at all. That's actually why all browsers now display an error page when you try to access a website without SSL so that snooping on the connection is not possible.
A more realistic approach would be for a browser extension to get access to the cookies, but if the extension is already on the machine of the user, it can do a lot more than just getting the user session cookie of a random website (like directly get the credit card information of the user).
Another approach would be to get the user session id from the database. But if the attacker already has access to your database, or your PHP files, then your website is already compromised.

Basically, I wouldn't be worried about what you found out.
Beside the security implications I discussed above, keeping the user session data has some advantages, like HikaShop being able to keep track of what products were already visited by the user (so that if you have a listing of recently visited products, it can display a coherent listing even after logout).

The following user(s) said Thank You: EnerW

Please Log in or Create an account to join the conversation.

  • Posts: 97
  • Thank you received: 7
  • Hikashop Business
7 hours 3 minutes ago #367744

Afternoon Nicolas,

thank you for the elaborate explanation, for the older (test) version of Hikashop you are correct it’s a Joomla 3.10.12 install and to keep track of the recently viewed items is also important.

I am not really worried about the security issue, since under normal circumstances, it would involve local access to the customers browser and the session information is cleared as soon as the browser is closed.

I do think that you are correct that Joomla did change the Session Handler and Track Session Metadata.

The following user(s) said Thank You: nicolas

Please Log in or Create an account to join the conversation.

Time to create page: 0.038 seconds
Powered by Kunena Forum