View Issue Details

IDProjectCategoryView StatusLast Update
0006064OXID eShop (all versions)4.02. Session handlingpublic2022-03-14 11:35
Reportergregor.hyneck Assigned To 
Status closedResolutionno change required 
Product Version6.2.2 
Summary0006064: Login in subshop is also valid in the parent shop
DescriptionWhen a user logs in the subshop, he is also logged in the parent shop (when opening them both in two browser tabs). The sid cookies of both shops remain the same if you refresh the tabs alternating. They do not refresh their sid cookie because the variable actshop is written to $_SESSION before session_start() was called (e.g. in oxconfig::init()). The variables written to $_SESSION before session_start() are not reliable (sometimes they get deleted, sometimes not).
Steps To Reproduce- create a subshop which inherits "settings, articles" from the parent shop (version EE 5.23)
- check that confbools[blMallUsers] is set to unchecked in the parent shop mall tab
- open 2 tabs in your Browser (Firefox 36 or Chrome 40): one with the parent shop and one with the subshop (&shp=2)
- create an account within the subshop and login
- reload the tab with the parent shop: user from subshop is logged in the parent shop. The value of the sid-cookie gets not refreshed for the parent subshop.
Additional InformationA bloody hotfix would be to save the variables of $_SESSION before session_start() and restore them afterwards.
Attached Files
PHP Version5.3
Database VersionNot defined


related to 0003075 resolvedLinas Kukulskis Active subshop ID value is dropped from session, default shop id is set 
related to 0007311 acknowledgedvilma_liorensaityte User remains logged in when switching between subshobs, although "Allow users from other stores" is disabled 



2020-06-02 11:51

reporter   ~0013248

Hi, I found similar behaviour related to this issue. I worked with clean shop installation of 6.2 version (I used b-6.2.x branch) without installed modules. I created a sub-shop using 'Shop inherits all inheritable items (products, discounts etc) from it's parent shop.' option and as parent shop I used 'OXID eShop 6 (1)'. I logged in the frontend of shop 1 with '[email protected]' user and password 'useruser'. Then in the same tab of the browser I opened shop 2 and checked my account area, I even finalized an order in it without any problems. Then I logged out from shop 2 and tried to log in again and then I received an error message 'Wrong e-mail address or password!'.
create-subshop.png (60,758 bytes)   
create-subshop.png (60,758 bytes)   


2020-07-08 16:41

administrator   ~0013263

If two tabs are open - one with the main shop and one with the subshop and a customer registers and logs in to the subshop and then updates the tab with the main shop, he is logged in with the user data from the subshop and can even place an order.
If you log out and try to log in again in the main shop, this is not possible with this account, because the user only has an account in the subshop.

Still reproducable in EE 6.2.1



2020-11-04 14:13

administrator   ~0013345

The session is nailed to a domain, if the subshop does not have a dedicated domain,
the session is shared (this is how cookies work) and the described scenario occurs.
If each subshop has a dedicated domain, everything works as expected.
-> Therefore the entry will be closed.