Potential privacy issue

  • Hello! The idea of multi cart is interesting!

    I was testing out and realised that the “Select Cart” button has a URL of /cart/?cart_session_set={ID}. The ID now is a running number and if I load the URL in another browser, it loads the cart data with all the information.

    As it is a running number, it may be easy for anyone to keep on trying to load the saved cart of another user which could contain their billing address, shipping address etc.

    It would be better to use a unique hash to reference the cart data instead (e.g. /cart/?cart_session_set={unique-hash}) to prevent stealing of data via enumeration.

Viewing 1 replies (of 1 total)

  • Any update on this? I’m deciding between this plugin– which seems like a great start. Or creating the functionality myself.

Viewing 1 replies (of 1 total)
  • The topic ‘Potential privacy issue’ is closed to new replies.