I am still not clear how you able to pass customer authentication.
This does NOT happen on your site now. I tried.
1. Are you sure you do not click (or clicked before) "act on behalf" in admin?
2. What browser do your customer use?
3. Did you modify any code at that time?
1. No
2. Can't say unfortunately
3. No code alterations but there have been two extensions installed - Wishlist and Abandoned Orders, three language packs and Flexi-promotions.
We have just done a test here.
Downstairs on computer1 the browser was logged into admin and had added a couple of items to the Cart.
Upstairs on computer2 I navigated to abantecart and clicked on the 'cart' icon without logging in. The cart details from the session on the computer1 was displayed and to all extents and purposes the sessions on comuter2 was logged in as if it was the sessions on computer1.
The only reasons I can think of for this to happen are that both computers operate on the IP external IP address.
Or computer2 has cache from when it was last legitimately logged in as admin - which would have been several weeks ago.In any case neither of those explain why customers in one country can see details of a customer logged in in another.