Different accounts with same IP address (Terminal Service) have problems with session and cookies

[WalTig]

Here is the situation: We have a dedicated (Linux) server with Prestashop 1.5.6.1. Multiple users (at one of our customers) are logged in (front office) at the same time. They all have different accounts (mail addresses and passwords). Though they experience strange things like staying connected after log off, seeing each-others name, sometimes they have multiplied cart lines, not selected products are added to the cart, etc.

 

The ("only" as far as I can see) difference with other customers is that these users are working though Terminal Services (Thin Clients). 

 

 

I am a stranger to Terminal Services, but this is what I think:

 

PrestaShop uses the Cookie class to manage session variables. Parameters set in the cookie are given to the client, but in this case to multiple users. Sessions are not really stored on the server. This does mean, I am afraid, that one session will be used by several users in this case. Checking the IP address of the cookie (which is a Prestashop option) has no effect since these users share one IP address. So in fact they are "stealing" each-others cookies.

 

Of course I would appreciate very much getting some hints on this topic:

• Is the assumption right that using Terminal Services / thin Clients can cause these problems?
• And in what direction do we have to find the solution? Is it in Prestashop? Or should our customer solve this at Terminal Services side?
• And if the solution should be found in Prestashop.... is there anybody with experience or knowledge to point me in a certain direction?

Thanks in advance.

 

 

 

[WalTig]

Hmmm, looks like I'm the only one having this problem? Anyway... this case popped up in my head every now and than this weekend and I was wondering... Maybe it makes sense to make all cookies "account-related". So that every account will use only his own cookies even when he's sharing the same machine and same IP address with other accounts. The only question is "how" can I do that? The thing crossing my mind is extending every key with the account number. 

[wredzimir]

Did you handled this problem?

I'm thinking, I have the same issue in my store.

[WalTig]

Yes I did. This is what solved it in my case.

 

I found out that (at least 'sometimes') session id's had a very long lifetime and that customers (within a company) with terminal sessions sometimes share session id's. Even though this was not the case for every (other) customer with terminal sessions. 

 

At two different points in the process I destroy the user cookies and session ID's. Mind you that this might be a bit of a overkill (but that does not bother me). Maybe destroying the cookies and session id at only one point would be enough. Or, maybe just renewing the session id would be enough. So if you are struggling with the same problem, you can try and see whether my solution is working for you too. If so, you can play a bit with the code and start decreasing the number of steps if you like. Untill you changed so much that the solution is not enough anymore.     When you have reason to decrease the code, my best guess would be: you don't need the code at logout. And you can keep the 1st line and the last 4 lines. Skip the lines in between. Try and see if that works. Most important point imho is after closing an order since the biggest problem was customers mixing up their carts and orders. Or otherwise, keep the full code at both points. I did never feel the need to review the code once I started to use it.

 

At (1) user logout (in class 'Customer' in function 'mylogout' ) and at (2) order confirmation (in class 'OrderConfirmationController' just before calling order-confirmation.tpl) I added a few lines to unset the cookies and to renew the session id. And for one particular customer (the one with the terminal sessions) I used an one-time-only script based on their current session id to detroy that session id the first (next) time they entered the webshop. This to ensure that they stop sharing that id. After that we do not face this problem anymore (and it the past it was a daily problem).

 

$cookie = Context::getContext()->cookie;

 

unset($_COOKIE[$this->_name]);

unset($cookie->detect_language); 

unset($cookie->id_customer);

unset($cookie->logged);

unset($cookie->id_guest);

unset($cookie->passwd);  

unset($cookie->customer_firstname);

unset($cookie->customer_lastname);

unset($cookie->id_cart);

 

$this->context->cookie->PHPSESSID = '';

$_SESSION = array();

session_destroy(); 

setcookie("PHPSESSID","",time()-3600,"/"); 

 

Good luck! 

Edited November 7, 2014 by WalTig (see edit history)