Magento2 – Using Another Logged-In User’s Session

customer-sessionmagento2Securitysession

This might be too broad of a question but it is a gigantic security issue and I have no idea where to start debugging this.

I was testing some features on my dev server while someone else was logged in on the frontend as well. At one point after refreshing I saw that I was suddenly logged in as the other user's account, I did not even know which email they were using and had never logged in with that account before but I could now do everything from change his password to place orders with his account.

As far as I know I'm not doing anything weird with sessions, but the most likely place I could see this going wrong is a Helper class that is used in various places but that is only used for getting the current user's customer group ID.

It is a fairly standard and clean Magento 2.1.9 installation on a LAMP stack, we started developing two weeks ago so we have one custom module that we are working on right now and no third party modules.

Best Answer

I was able to replicate this issue by clicking a link with a "SID" (session ID) in it. If that session ID belonged to another customer and they were logged in, I could see their details.

Because the site I was working on was a single website/store (no multi-website/store) I could stop the issue by changing:

Store > Configuration > General > Web > Session Validation Settings > "Use SID on Storefront" == "No"

You may need to wipe your session store to ensure no customers are still sharing sessions.

I found this related question useful and it contains more info over there:

How to Remove SID (SESSION_ID) from URL in Magento 2

Related Solutions

Magento Cart Dropping Items – Session Clearing Issue

On our cPanel boxes, missing assets were serving the entire Magento page.

cPanel's defaults to ErrorDocument 404 /404.shtml but /404.shtml doesn't exist in Magento's document root, so the .htaccess gets executed again and redirects /404.shtml to index.php (using mod_rewrite).

Magento's default .htaccess should specify 404, 500, and other error handlers explicitly.

To fix this beahviour, we added the following to our .htaccess:

ErrorDocument 404 /errors/404.php

We probably should also add 500s as well:

ErrorDocument 500 /errors/500.php

Magento – Can / Should I Use The Admin Session in Frontend

Let's assume you can get access to the admin session in the frontend, I don't think there will be any issues. Just make sure that you wrap the code (actions or display) around something like this:

if (getTheAdminSession()->getUser()){//getTheAdminSession() is just a placeholder for the admin session getter
   //code or output here
}

If you have this and the admin is not logged in then there should not be any issues (in theory). Those pieces of code will be skipped.
Now the hard part. I'm not sure how it's possible to gain access to the admin session from the back-end since Magento creates 2 different cookies for them. Maybe read the cookie with the name 'adminhtml' and try to initiate the session with that value. But this will become impossible if the admin is on a separate domain. (I know it usually isn't but it may be).
If you do a simple:

Mage::getSingleton('admin/session')

on the frontend, the object created from this code will be appended to the session file of the frontend(I only tested with session in files). The admin session file will not be touched. Your session file will looke something like this:

core|a:5:{..}admin|a:2:{...}

Best Answer

Related Solutions

Magento Cart Dropping Items – Session Clearing Issue

Magento – Can / Should I Use The Admin Session in Frontend

Related Topic