I gave this link to a friend
admin.php?dispatch=products&product_id=PRODUCTNUMBER&sess_id=SESSIONIDNUMBER
and he was able to browse my admin panel without login in. Is this normal?
Now if I knew someone is using cs-cart and spends quite some time on back end I would be able to develop some generator to check if there is some open session ? IP or cookie is not checked…
Same session ID is generated by IE and FF only chrome gives a long session number.
Hi
Can’t see any situation that should allow direct access!
Not really sure how that is happening, is it on 1.3.5 or 2.0.4 Just for information?
BarryH
Hi
Not sure if some of the URL you posted has been changed, but have tried to access my website with correct www and PHP file with the extension off your URL and I just get my login page!
BarryH
[quote name=‘BarryH’]Hi
Not sure if some of the URL you posted has been changed, but have tried to access my website with correct www and PHP file with the extension off your URL and I just get my login page!
BarryH[/QUOTE]
Is your site with SSL enabled admin backend ?
If so then login to backend using firefox and you may try IE8.
Now copy link from admin panel to another browser and check if it opens the admin panel without logging in.
Hi
May be I’m missing something here!?!?
Yes with SSL in Admin, when I log in I get the same URL as I typed in to start with which only takes me to the Login page…
Type in…mywebsite.com - This website is for sale! - mywebsite Resources and Information. (not really admin) and the login page opens so …
enter password etc and log in and the URL is mywebsite.com - This website is for sale! - mywebsite Resources and Information. if I copy this I just go round in circles no matter which browser I use! IE7,FF,Opera etc
Sorry if I have missed something, but I can’t see where you gat the URL that you have?
BarryH
Not sure what you don’t understand here. How can you do a ssl connection without a session id(&sess_id=withlongidnumber)?
I picked first found domain here in forum with ssl on it
[url]https://www.XXXXXXXXX.com/index.php?target=checkout&mode=cart&csid=3de7a9885c49f17a50f84a9d2ed4d5bd&sl=EN¤cy=usd[/url]
It is cart page enabled with ssl.
3de7a9885c49f17a50f84a9d2ed4d5bd is ssl session number.
I copy this link, paste to other browser and I see cart page with exact same item in cart.
[quote name=‘BarryH’]Hi
May be I’m missing something here!?!?
Yes with SSL in Admin, when I log in I get the same URL as I typed in to start with which only takes me to the Login page…
Type in…www.mywebsite.com/admin.php (not really admin) and the login page opens so …
enter password etc and log in and the URL is www.mywebsite.com/admin.php if I copy this I just go round in circles no matter which browser I use! IE7,FF,Opera etc
Sorry if I have missed something, but I can’t see where you gat the URL that you have?
BarryH[/QUOTE]
[quote name=‘Darius’]Not sure what you don’t understand here. How can you do a ssl connection without a session id(&sess_id=withlongidnumber)?
I picked first found domain here in forum with ssl on it
[url]https://www.XXXXXXXXX.com/index.php?target=checkout&mode=cart&csid=3de7a9885c49f17a50f84a9d2ed4d5bd&sl=EN¤cy=usd[/url]
It is cart page enabled with ssl.
3de7a9885c49f17a50f84a9d2ed4d5bd is ssl session number.
I copy this link, paste to other browser and I see cart page with exact same item in cart.[/QUOTE]
Obviously crossed purposes here…
Firstly you said in admin…admin.php and then you have said front end…index.php so I am not really sure what you are doing!
If you access the front and go into your account, then cut and paste the (unique) URL into another browser or window the system will assume you have the permissions required because how else would you have the (unique) URL???
I THINK??
BarryH
Just to add my 2 cents here, but is this in 2.04 or 1.3.5 sp4?
I enabled SSL in my backend on 1.3.5 sp4 and I don’t have a session id in FF3 or IE8. I currently only have 2.0.4 installed on my local host so I can’t test SSL on there.
Brandon
[quote name=‘brandonvd’]Just to add my 2 cents here, but is this in 2.04 or 1.3.5 sp4?
I enabled SSL in my backend on 1.3.5 sp4 and I don’t have a session id in FF3 or IE8. I currently only have 2.0.4 installed on my local host so I can’t test SSL on there.
Brandon[/QUOTE]
It’s on 2.04.
It is confirmed by cs support. Appears it is default functionality…
If you share link to admin panel with visible session id (sometimes it may be not visible) other party may enter admin panel anywhere he pleases until you logout.
I was told that this is known to them and in near future some IP security check will be added.
Now I don’t know why but most of the time session id number is real strong random letters and numbers, but sometimes it is just simple four numbers. I have deleted all cookies, saved data, browser data and everything possible. It was ok for a while but it re apared again after some time…
[quote name=‘BarryH’]Obviously crossed purposes here…
Firstly you said in admin…admin.php and then you have said front end…index.php so I am not really sure what you are doing!
If you access the front and go into your account, then cut and paste the (unique) URL into another browser or window the system will assume you have the permissions required because how else would you have the (unique) URL???
I THINK??
BarryH[/QUOTE]
This above is just as a sample, where will I get a admin backend for you to demonstrate?
Yes a UNIQUE number. Do you think a “1020” is a uniue number ? As I said most of the time numbers and letters are random, but on some cases they were pure simple as 1020 and did not change when loggin in and out of admin panel as if they were cached somewere.
Even someone know a unique number IP or cookie should be checked. Try to login to your bank account and share address with someone, I don’t think anyone will be able to see what you see.
Hi
Wasn’t wanting to fallout over it, I said I didn’t understand and I did ask which version in my first posts. I can’t comment on 2.0.4 and I also said I didn’t have the problem, but I’m on 1.3.5.
Sorry if I ruffled your feathers I didn’t mean to.
Regards
BarryH