I've posted this on Opencart forums however no one could probably figure out what the problem was.
Running Opencart 1.5.6.4. PHP-5.4.42
If a user X is logged in on the website, if another user visits the site he also gets logged in from X's account automatically. I've witnessed this myself, when i was browsing and it showed me as logged in as a customer who lives 500 miles away! If the user X, has something added in his cart it would show up as well.
So, since I'm logged in through that account, I can do whatever I like from that account, place an order, modify details etc. Scary! This entire problem has been aggravated with increase in traffic to my website.
I've tried moving the save.session_path to a different folder /tmp altogether, but it hasn't helped.
I'm not a full time dev, so kinda having troubles figuring out what the problem is. Would be great if somebody can help.
php.ini has the following session related entries
session.save_path = /webroot/sitename/tmp/
session.use_only_cookies = 1;
session.use_trans_sid = Off;
session.cookie_httponly = 1;
session.gc_maxlifetime = 3600;
session.php
class Session {
public $data = array();
public function __construct() {
if (!session_id()) {
ini_set('session.use_only_cookies', 'On');
ini_set('session.use_trans_sid', 'Off');
ini_set('session.cookie_httponly', 'On');
session_set_cookie_params(0, '/');
session_start();
}
$this->data =& $_SESSION;
}
function getId() {
return session_id();
}
}
The problem was due to some customers without an email (simplified registration form). Opencart was confused. Solutions:
First update customers with random email (note that email is not used to reach customers):
Then update the registration form to generate random email at registration to avoid this situation in the future.
Disclaimer: I had access to the platform.