Do you like AbanteCart? Please rate AbanteCart or share your experience with other eCommerce entrepreneurs. Go to Softaculous rating page to add your rating or write a review

Customer that doesn't logout can be seen from any computer Help fix please!

Started by bab, October 18, 2013, 06:34:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

bab

October 18, 2013, 06:34:04 PM
I tested my site using 1.1.7 I created 2 separate accounts, 1 on the computer and 1 on the smartphone. I then logged in 1 of the accounts then proceeded to close browser from my computer without logging out. I then used my smartphone (not connected to wifi) and launched my website in my chrome browser. I then proceeded to log in and the account that was logged in on the computer (but never logged out) was visible on my phone. I tried this several different ways like instead of closing browser I just entered a URL for a different site (without logging out) but same results. I figured that I would have my friend who lives thousands of miles away from me start an account then have him close his browser or go to another site without logging out. Still same results when I go to log in from my computer/smartphone, now I'm logged in his account. Only if you logout before leaving the website then whatever device I log into will not show the account dashboard of other test account. Is there a way to fix this , so customers can be logged out once they leave the site? Or do they have to logout before leaving? I look forward to a response, this is a big security issue for me. Thanks  :-\

abantecart

#1
October 20, 2013, 12:07:28 PM
There is a session expiration time that controls the login time (time session is active)  in case customer do not log out.
It is set in the admin settings, but it is also related to PHP session expiration time configured on the server.

If you access from any different browser, device, phone, computer, etc. there will be new session and you need to login again.
This is pretty standard in all applications.

Please explain where you see a security issue?
Please  rate your experience or leave your review
We need your help to build better free open source ecommerce platform for everyone. See how you can help

bab

#2
October 20, 2013, 06:27:50 PM
Thank you for the simple explanation. It seems that I overlooked the sessions in minutes located in settings of admin. It was still set to the default minutes of 120= 2hours. Thank you for your continued support.

Basara

#3
February 09, 2015, 02:01:58 AM
Quote from: bab on October 18, 2013, 06:34:04 PM
I tested my site using 1.1.7 I created 2 separate accounts, 1 on the computer and 1 on the smartphone. I then logged in 1 of the accounts then proceeded to close browser from my computer without logging out. I then used my smartphone (not connected to wifi) and launched my website in my chrome browser. I then proceeded to log in and the account that was logged in on the computer (but never logged out) was visible on my phone.

Hi.

This is new Chrome browser feature sync - Google has updated its Chrome browser, adding the ability to sync browser tabs across multiple devices to make a single session of Chrome accessible as you move from desktop, to mobile, and back again.
Print
Go Up Pages1
User actions

Forum Rules Code of conduct
AbanteCart.com 2010 -