View Issue Details

IDProjectCategoryView StatusLast Update
0002909OXID eShop (all versions)4.02. Session handlingpublic2011-06-30 16:32
Reporterwebstube Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionno change required 
Product Version4.5.0 revision 34568 
Summary0002909: Session will be destroyed as soon as changes the user agent!
DescriptionThe session will be destroyed when a call is made under the same session ID but different user agent.

Sequence: Basket-content, current login, etc. are lost.
Steps To Reproduce1st Creating a session (Log in or create an item in the shopping cart)
2nd Change in the browser user-agent
3rd Reload
Additional InformationSolution: _checkUserAgent remove () from oxSession.
TagsNo tags attached.
ThemeBoth
BrowserAll
PHP Versionany
Database Versionany

Activities

webstube

2011-05-19 18:51

reporter   ~0004623

Last edited: 2011-05-19 18:51

Hintergrund:
http://www.oxid-esales.com/forum/showthread.php?p=57846

csimon

2011-05-20 07:59

reporter   ~0004625

I translate:

The procedure to destroy the session if user agent changes causes some problems with antivirus tools like trend micro, which make a request to each site to detect drive by infections. Therefore, the user agent check should be improved or removed.

birute_meilutyte

2011-05-20 09:39

reporter   ~0004629

@developers: check from source code side if such issue still exist

dominik_ziegler

2011-05-24 12:52

reporter   ~0004655

That is very annoying because FirePHP extends the user agent automatically and therefore session is resetted.

dainius.bigelis

2011-06-30 16:32

reporter   ~0004798

Reminder sent to: webstube

Hi,

Such behavior (like dropping the session if user agent is changed) was planned as an additional security check. It helps to deny access to confidential data (orders, accounts, etc.) in case if session was stolen by some third party user. Checking the change of browser agent is one ways to detect such illegal case.

Best regards,