Please help us to make AbanteCart Ideal Open Source Ecommerce Solution for everyone.

Support AbanteCart eCommerce

Author Topic: Customer that doesn't logout can be seen from any computer Help fix please!  (Read 5219 times)

Offline bab

  • Newbie
  • *
  • Posts: 33
  • Karma: +1/-1
    • View Profile
I tested my site using 1.1.7 I created 2 separate accounts, 1 on the computer and 1 on the smartphone. I then logged in 1 of the accounts then proceeded to close browser from my computer without logging out. I then used my smartphone (not connected to wifi) and launched my website in my chrome browser. I then proceeded to log in and the account that was logged in on the computer (but never logged out) was visible on my phone. I tried this several different ways like instead of closing browser I just entered a URL for a different site (without logging out) but same results. I figured that I would have my friend who lives thousands of miles away from me start an account then have him close his browser or go to another site without logging out. Still same results when I go to log in from my computer/smartphone, now I'm logged in his account. Only if you logout before leaving the website then whatever device I log into will not show the account dashboard of other test account. Is there a way to fix this , so customers can be logged out once they leave the site? Or do they have to logout before leaving? I look forward to a response, this is a big security issue for me. Thanks  :-\

Offline abantecart

  • Administrator
  • Hero Member
  • *****
  • Posts: 4358
  • Karma: +298/-10
    • View Profile
    • Ideal Open Source Ecommerce Solution
There is a session expiration time that controls the login time (time session is active)  in case customer do not log out.
It is set in the admin settings, but it is also related to PHP session expiration time configured on the server.

If you access from any different browser, device, phone, computer, etc. there will be new session and you need to login again.
This is pretty standard in all applications.

Please explain where you see a security issue?
 
Please  rate your experience or leave your review
We need your help to build better free open source ecommerce platform for everyone. See how you can help

Offline bab

  • Newbie
  • *
  • Posts: 33
  • Karma: +1/-1
    • View Profile
Thank you for the simple explanation. It seems that I overlooked the sessions in minutes located in settings of admin. It was still set to the default minutes of 120= 2hours. Thank you for your continued support.

Offline Basara

  • Administrator
  • Hero Member
  • *****
  • Posts: 5774
  • Karma: +274/-2
    • View Profile
I tested my site using 1.1.7 I created 2 separate accounts, 1 on the computer and 1 on the smartphone. I then logged in 1 of the accounts then proceeded to close browser from my computer without logging out. I then used my smartphone (not connected to wifi) and launched my website in my chrome browser. I then proceeded to log in and the account that was logged in on the computer (but never logged out) was visible on my phone.

Hi.

This is new Chrome browser feature sync - Google has updated its Chrome browser, adding the ability to sync browser tabs across multiple devices to make a single session of Chrome accessible as you move from desktop, to mobile, and back again.

 

Powered by SMFPacks Social Login Mod