0006064: Login in subshop is also valid in the parent shop

ID	Project	Category	View Status	Date Submitted	Last Update

0006064	OXID eShop (all versions)	4.02. Session handling	public	2015-03-03 10:53	2022-03-14 11:35

Reporter	gregor.hyneck	Assigned To
Priority	low	Severity	minor	Reproducibility	random
Status	closed	Resolution	no change required
Product Version	6.2.2

Summary	0006064: Login in subshop is also valid in the parent shop
Description	When a user logs in the subshop, he is also logged in the parent shop (when opening them both in two browser tabs). The sid cookies of both shops remain the same if you refresh the tabs alternating. They do not refresh their sid cookie because the variable actshop is written to $_SESSION before session_start() was called (e.g. in oxconfig::init()). The variables written to $_SESSION before session_start() are not reliable (sometimes they get deleted, sometimes not).
Steps To Reproduce	- create a subshop which inherits "settings, articles" from the parent shop (version EE 5.23) - check that confbools[blMallUsers] is set to unchecked in the parent shop mall tab - open 2 tabs in your Browser (Firefox 36 or Chrome 40): one with the parent shop and one with the subshop (&shp=2) - create an account within the subshop and login - reload the tab with the parent shop: user from subshop is logged in the parent shop. The value of the sid-cookie gets not refreshed for the parent subshop.
Additional Information	A bloody hotfix would be to save the variables of $_SESSION before session_start() and restore them afterwards.
Tags	EE
Attached Files

Theme	Azure
Browser	All
PHP Version	5.3
Database Version	Not defined

lambreva 2020-06-02 11:51 reporter ~0013248	Hi, I found similar behaviour related to this issue. I worked with clean shop installation of 6.2 version (I used b-6.2.x branch) without installed modules. I created a sub-shop using 'Shop inherits all inheritable items (products, discounts etc) from it's parent shop.' option and as parent shop I used 'OXID eShop 6 (1)'. I logged in the frontend of shop 1 with '[email protected]' user and password 'useruser'. Then in the same tab of the browser I opened shop 2 and checked my account area, I even finalized an order in it without any problems. Then I logged out from shop 2 and tried to log in again and then I received an error message 'Wrong e-mail address or password!'. create-subshop.png (60,758 bytes) create-subshop.png (60,758 bytes)

QA 2020-07-08 16:41 administrator ~0013263	If two tabs are open - one with the main shop and one with the subshop and a customer registers and logs in to the subshop and then updates the tab with the main shop, he is logged in with the user data from the subshop and can even place an order. If you log out and try to log in again in the main shop, this is not possible with this account, because the user only has an account in the subshop. Still reproducable in EE 6.2.1 -es-

QA 2020-11-04 14:13 administrator ~0013345	The session is nailed to a domain, if the subshop does not have a dedicated domain, the session is shared (this is how cookies work) and the described scenario occurs. If each subshop has a dedicated domain, everything works as expected. -> Therefore the entry will be closed.

related to	0003075	resolved	Linas Kukulskis	Active subshop ID value is dropped from session, default shop id is set
related to	0007311	confirmed	HR	User remains logged in when switching between subshobs, although "Allow users from other stores" is disabled

View Issue Details

Relationships

Activities