You're kidding - right? I should think it would be your guys job to ensure that we dumb consumers don't do anything to compromise our personal information. IOW, we expect YOU to deal with this issue, despite our tendency to "share links" in the incorrect manner.
Food for thought - and I'm interested to see how you guys will deal with this.
Exactly Andy. We share links to B&H, Amazon and countless other places, and I can't say I have ever had a problem like this elsewhere. It is frightening that my personal info is preserved in a cookie that can transfer to someone else's machine. A cookie on my machine with my info is acceptable, but persisting that on the server? Yikes!
All the information was stored in the URL? That's just crazy! If I were to order from Overnight Prints would my credit card information be stored in the URL too??? Give me a break. You guys are going to have to get serious about security if you plan on getting people's e-commerce business.
Y'all don't want to hear me, you just want to dance.
In order for this not to occur, all of you should clear your cookies and log onto www.overnightprints.com on your own without using a common link. This should clear it up.
Danny, thanks for responding. That's good.
But your answer? That's bad.
It's the old "the problem is on your end, not ours." I think you'll find that your customers disagree.
In Response
Because our website uses a cookie driven format, links shared with session id's will cause this to happen. If you share a link with someone please give them only www.overnightprints.com this will not happen. There is no chance of creditcard or paypal information being transferred as we do not save that information. Verisign handles the transaction. Many websites do use the cookie format, including many of our peers in the online printing industry. To my knowledge this does not occur at this time in any instance outside of the sharing of session ID's. For problems that occur with any of our printing please contact our customer service phone line. We have recently streamlined and added more representatives. We also have a no risk guarantee. If there is a problem we will gladly refund or reprint.
In order for this not to occur, all of you should clear your cookies and log onto www.overnightprints.com on your own without using a common link. This should clear it up.
That is a temporary bandaid only. The problem being described is not so much that customers are getting confusing screen, it's that it is possibe for a malicious user to hack the session variable and able to obtain info they don't have permission to access.
What you need to do is fix that vulnerability in the code. Trap it in code. I am not familiar enough with the coding needed to offer any detailed guidance, however, I did run across some sample code that may help you or your devs to a solution.
Download the latests phpbb forum software. Look in the common.php file at the first 100 lines to see how they are trapping for malicious session hacking. It might provide some clues to a solution for you.
You need to be in a position where clearing the cache is not neccessary at all. You can't rely on the users to do the right thing, because the wrong thing will get done either through ignorance or maliciousness. Count on it.
Even if you don't store credit card info, the perception that your site is not secure is what will drive people. Don't give people a reason to think there is insecurity in your site.
Creator of Dgrin's "Last Photographer Standing" contest
"Failure is feedback. And feedback is the breakfast of champions." - fortune cookie
Because our website uses a cookie driven format, links shared with session id's will cause this to happen. If you share a link with someone please give them only www.overnightprints.com this will not happen.
This is insane. Shame on you for not building a system smart enough to protect the public from unwittingly sharing their personal information.
Shame shame shame.
I can no longer recommend or endorse your company, sorry about that. I'm really sorry - and it's a shame, because I've used you for cards many times and recommended a zillioon.
(Dragon, I need a new seal, "NOT endorsed by Andy" or some such)...
I must point out that the answer given here about cookies is FACTUALLY INCORRECT, bordering on lying.
Using a session ID in the URL has absolutely nothing to do with cookies in any scenario whatsoever. Cookies are stored on the local client computer and cannot be shared with other client computers without the server deliberately doing so.
What is happening here is that their system is allowing any computer to specify a session ID without any validation and is then setting that session's information on the client, irrespective of history. If they then encode the data into a cookie, that is both irrelevant as well as misleading.
The gentleman from the company who is claiming that it is a cookie issue either has no idea what he's talking about or is deliberately lying.
A simple check of session ID vs. IP address of the request would fix this problem. If their programmers can't add this simple check, much less realize that it should have been there from day one if they're using non-encoded session IDs on the URL, that should tell you all you need to know.
I'm not just a crappy photographer, I also do this stuff for a living
This is insane. Shame on you for not building a system smart enough to protect the public from unwittingly sharing their personal information.
Shame shame shame.
I can no longer recommend or endorse your company, sorry about that. I'm really sorry - and it's a shame, because I've used you for cards many times and recommended a zillioon.
(Dragon, I need a new seal, "NOT endorsed by Andy" or some such)...
post a thumbs down photo or some such and I'll get you a web2.0 badge whipped up in a hurry...
Y'all don't want to hear me, you just want to dance.
I can understand where Cambler is coming from, however in this instance I was merely trying to resolve a problem that was occuring with the board members of dgrin. Cookies are an oversimplified version of it. Our system does not allow any computer to access any session ID without validation. We have a 20 character alphanumeric code to protect the information which would be extremely difficult to hack. We have software to protect from a brute force hack and prevent the customers information from leaking. We are currently in the process of removing the session ID from the URL altogether which would end this issue to begin with. This was an instance of someone creating an account and sharing the open account with others.
In response to Andy, the system is designed to protect your information and that information will not be shared unless you specifically give your active session ID to another person, as happened in this bboard. Even if someone was to hack it, the chances of numerous people on this website seeing the exact same sample information would be astronomic. So we do protect the information from the public. And rest assured all credit card information is handled by Verisign and never even reaches our server. A credit card gateway is used.
Also I would like to add that my suggestion to clear your cookies was in no way intended to be a regular practice, simply a suggestion of a way to clear this open session that all of you seem to be sharing. After doing this one time, everyone will be on their own.
Also I would like to add that my suggestion to clear your cookies was in no way intended to be a regular practice, simply a suggestion of a way to clear this open session that all of you seem to be sharing. After doing this one time, everyone will be on their own.
Clearing cookies on a client computer will have no effect on your server. The session ID is still valid and will still replicate information if it is re-used. Why you continue to say that this is a "cookie" issue, I don't understand, and only serves to give people a false sense of security that doing so will resolve the problem.
Is this where I mention my consulting rates? : (just kidding)
Clearing cookies on a client computer will have no effect on your server. The session ID is still valid and will still replicate information if it is re-used. Why you continue to say that this is a "cookie" issue, I don't understand, and only serves to give people a false sense of security that doing so will resolve the problem.
Is this where I mention my consulting rates? : (just kidding)
The bigger issue is that malicious users can exploit this weakness, not that joe sixpack will see someone elses info. My bet is that a malicious user could probably inject commands that could bring down the server, change data, or worse.
The responses so far have been downplaying the problem which tells me they don't understand the implications of what could happen when 13 year old uber-hacker-looking-for-cred finds this open door oasis of potential mayhem.
Fix the problem. If the problem is already fixed (as possibly alluded to earlier) then show it, explain it, convince us. But don't offer the same non-technical excuses over and over, that just digs the hole deeper. There are a lot of web developers reading and responding on this thread.
Creator of Dgrin's "Last Photographer Standing" contest
"Failure is feedback. And feedback is the breakfast of champions." - fortune cookie
In response to Andy, the system is designed to protect your information and that information will not be shared unless you specifically give your active session ID to another person, as happened in this bboard. Even if someone was to hack it, the chances of numerous people on this website seeing the exact same sample information would be astronomic. So we do protect the information from the public.
You don't protect the unwitting public, and there are a lot of them. It's bad practice, IMO. I'm sticking with thumbs down, I don't think you guys are getting it :nono
1. I didn't share a link or session. I arrived by google to your site. I never posted a link to your site. Mine is not the issue. Unless the same computer is being used, no "session sharing" should ever occur.
2. I emailed you twice and never received a response. Bad customer service. Extremely bad. I had a serious concern and it went ignored until now, which seems to be more damage control than actual customer service.
3. The proper, immediate response should have been to state an apology, guarantee that it would be corrected immediatley, and actually fix it.
4. I'm still really irritated by this giving of an active session ID crap. Explain how exactly I'm going to do that other than giving someone a direct link to a page that I access while logged in. Guess what? I didn't and I can guarantee that probably 99% didn't either. Even so, it's your site's issue in that it should only matter if it's coming from the same PC.
If this was a common issue, all one has to do is have one's friend pay for a subscription website, log in, and then send a link of whatever page he's accessing while logged in to all his friends and they have free "shared access" This doesn't happen because the site is properly set up and maintained.
Also, cookies can be set to expire. Yahoo sets this to prevent people from accessing email on your PC. So much time passes or so much inactive time passes and the cookie expires and forces a new log on.
Your site is broken and you're using an excuse that isn't completely valid for all concerned. You're also arguing with past, present but I expect to be past cutomers and ensuring no future cutomers.
Thanks for reading up on these complaints. I can assure you that when I saw another person's information that it was not from a shared link.
I think that if you took the time to make adjustments on your end you would see an increase in business. This issue has been one of the only knocks against your business and it has been what prevents me from ordering with your company...
but for the group of people who are seeing the same screen, that is due to sharing of links. If each of you had gone to the site on your own you would not be able to see others information.
Overnight Danny
First I would like to say that we appreciate all of you bringing these issues to our attention. It is because we know that we are not perfect, and because we care, that we search for postings like these. We want to know what people think, so that we can provide the best service possible, whether it is in regards to our website, our products, our customer service, or anything else. As for Customer Service, we have more than tripled our staff and are responding to all calls and emails.
At is clear by now, I am not enlightened to all of the technical aspects of all of this. It is my job to find issues like these, and bring them to the attention of our developers and IT staff.
What was originally designed as a convenience feature, but could have been better thought out, became an issue that was brought to our attention by people like and including all of you. Session IDs retaining shipping information, so that returning customers did not have to enter it again, were indexed by google and yahoo, and so you are correct that you were able to access them in that way. Once we realized this, we changed the system so that the Session IDs no longer retain any information. We have also worked with google and yahoo to ensure that Session IDs are not indexed, and any that are currently indexed be removed.
We apologize to anyone who's shipping information may have been shared, and I guarantee that we are constantly working to completelty fix this, as well improve every aspect of our company.
We apologize to anyone who's shipping information may have been shared, and I guarantee that we are constantly working to completelty fix this, as well improve every aspect of our company.
We apologize to anyone who's shipping information may have been shared, and I guarantee that we are constantly working to completelty fix this, as well improve every aspect of our company.
Danny
First I would like to say that we appreciate all of you bringing these issues to our attention. It is because we know that we are not perfect, and because we care, that we search for postings like these. We want to know what people think, so that we can provide the best service possible, whether it is in regards to our website, our products, our customer service, or anything else. As for Customer Service, we have more than tripled our staff and are responding to all calls and emails.
At is clear by now, I am not enlightened to all of the technical aspects of all of this. It is my job to find issues like these, and bring them to the attention of our developers and IT staff.
What was originally designed as a convenience feature, but could have been better thought out, became an issue that was brought to our attention by people like and including all of you. Session IDs retaining shipping information, so that returning customers did not have to enter it again, were indexed by google and yahoo, and so you are correct that you were able to access them in that way. Once we realized this, we changed the system so that the Session IDs no longer retain any information. We have also worked with google and yahoo to ensure that Session IDs are not indexed, and any that are currently indexed be removed.
We apologize to anyone who's shipping information may have been shared, and I guarantee that we are constantly working to completelty fix this, as well improve every aspect of our company.
Danny
Now, this is a much better answer
SessionIDs can perfectly retain any information you like, as long as the SessionID is not an encoding of the actual data (if so, decoding would be too simple and therefore unsecure) and it should not be shared 'inside' a URL. Instead, it should be a key, a unique identifier into a database row stored, preferrably, inside a cookie.
This key/SessionID should generated upon the user's login and serve as a authorization check.
This key/SessionID is then used to authorize subsequent page-requests and the user-id is used to lookup the user's info and present his/her data (only if authorization was successful).
Additional security checks could be done as well (IP verification across one session, session time-outs, etc.)
Comments
http://photos.mikelanestudios.com/
But your answer? That's bad.
It's the old "the problem is on your end, not ours." I think you'll find that your customers disagree.
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam
http://www.mcneel.com/users/jb/foghorn/ill_shut_up.au
A former sports shooter
Follow me at: https://www.flickr.com/photos/bjurasz/
My Etsy store: https://www.etsy.com/shop/mercphoto?ref=hdr_shop_menu
Because our website uses a cookie driven format, links shared with session id's will cause this to happen. If you share a link with someone please give them only www.overnightprints.com this will not happen. There is no chance of creditcard or paypal information being transferred as we do not save that information. Verisign handles the transaction. Many websites do use the cookie format, including many of our peers in the online printing industry. To my knowledge this does not occur at this time in any instance outside of the sharing of session ID's. For problems that occur with any of our printing please contact our customer service phone line. We have recently streamlined and added more representatives. We also have a no risk guarantee. If there is a problem we will gladly refund or reprint.
That is a temporary bandaid only. The problem being described is not so much that customers are getting confusing screen, it's that it is possibe for a malicious user to hack the session variable and able to obtain info they don't have permission to access.
What you need to do is fix that vulnerability in the code. Trap it in code. I am not familiar enough with the coding needed to offer any detailed guidance, however, I did run across some sample code that may help you or your devs to a solution.
Download the latests phpbb forum software. Look in the common.php file at the first 100 lines to see how they are trapping for malicious session hacking. It might provide some clues to a solution for you.
You need to be in a position where clearing the cache is not neccessary at all. You can't rely on the users to do the right thing, because the wrong thing will get done either through ignorance or maliciousness. Count on it.
Even if you don't store credit card info, the perception that your site is not secure is what will drive people. Don't give people a reason to think there is insecurity in your site.
"Failure is feedback. And feedback is the breakfast of champions." - fortune cookie
This is insane. Shame on you for not building a system smart enough to protect the public from unwittingly sharing their personal information.
Shame shame shame.
I can no longer recommend or endorse your company, sorry about that. I'm really sorry - and it's a shame, because I've used you for cards many times and recommended a zillioon.
(Dragon, I need a new seal, "NOT endorsed by Andy" or some such)...
Portfolio • Workshops • Facebook • Twitter
Glass: >Sigma 17-35mm,f2.8-4 DG >Tamron 28-75mm,f2.8 >Canon 100mm 2.8 Macro >Canon 70-200mm,f2.8L IS >Canon 200mm,f2.8L
Flash: >550EX >Sigma EF-500 DG Super >studio strobes
Sites: Jim Mitte Photography - Livingston Sports Photos - Brighton Football Photos
Using a session ID in the URL has absolutely nothing to do with cookies in any scenario whatsoever. Cookies are stored on the local client computer and cannot be shared with other client computers without the server deliberately doing so.
What is happening here is that their system is allowing any computer to specify a session ID without any validation and is then setting that session's information on the client, irrespective of history. If they then encode the data into a cookie, that is both irrelevant as well as misleading.
The gentleman from the company who is claiming that it is a cookie issue either has no idea what he's talking about or is deliberately lying.
A simple check of session ID vs. IP address of the request would fix this problem. If their programmers can't add this simple check, much less realize that it should have been there from day one if they're using non-encoded session IDs on the URL, that should tell you all you need to know.
I'm not just a crappy photographer, I also do this stuff for a living
Cheerleading: http://www.CheerPhoto.com
Blog: http://cambler.livejournal.com
Portfolio • Workshops • Facebook • Twitter
post a thumbs down photo or some such and I'll get you a web2.0 badge whipped up in a hurry...
http://photos.mikelanestudios.com/
In response to Andy, the system is designed to protect your information and that information will not be shared unless you specifically give your active session ID to another person, as happened in this bboard. Even if someone was to hack it, the chances of numerous people on this website seeing the exact same sample information would be astronomic. So we do protect the information from the public. And rest assured all credit card information is handled by Verisign and never even reaches our server. A credit card gateway is used.
Also I would like to add that my suggestion to clear your cookies was in no way intended to be a regular practice, simply a suggestion of a way to clear this open session that all of you seem to be sharing. After doing this one time, everyone will be on their own.
Is this where I mention my consulting rates?
Cheerleading: http://www.CheerPhoto.com
Blog: http://cambler.livejournal.com
Glass: >Sigma 17-35mm,f2.8-4 DG >Tamron 28-75mm,f2.8 >Canon 100mm 2.8 Macro >Canon 70-200mm,f2.8L IS >Canon 200mm,f2.8L
Flash: >550EX >Sigma EF-500 DG Super >studio strobes
Sites: Jim Mitte Photography - Livingston Sports Photos - Brighton Football Photos
The responses so far have been downplaying the problem which tells me they don't understand the implications of what could happen when 13 year old uber-hacker-looking-for-cred finds this open door oasis of potential mayhem.
Fix the problem. If the problem is already fixed (as possibly alluded to earlier) then show it, explain it, convince us. But don't offer the same non-technical excuses over and over, that just digs the hole deeper. There are a lot of web developers reading and responding on this thread.
"Failure is feedback. And feedback is the breakfast of champions." - fortune cookie
You don't protect the unwitting public, and there are a lot of them. It's bad practice, IMO. I'm sticking with thumbs down, I don't think you guys are getting it :nono
Portfolio • Workshops • Facebook • Twitter
2. I emailed you twice and never received a response. Bad customer service. Extremely bad. I had a serious concern and it went ignored until now, which seems to be more damage control than actual customer service.
3. The proper, immediate response should have been to state an apology, guarantee that it would be corrected immediatley, and actually fix it.
4. I'm still really irritated by this giving of an active session ID crap. Explain how exactly I'm going to do that other than giving someone a direct link to a page that I access while logged in. Guess what? I didn't and I can guarantee that probably 99% didn't either. Even so, it's your site's issue in that it should only matter if it's coming from the same PC.
If this was a common issue, all one has to do is have one's friend pay for a subscription website, log in, and then send a link of whatever page he's accessing while logged in to all his friends and they have free "shared access" This doesn't happen because the site is properly set up and maintained.
Also, cookies can be set to expire. Yahoo sets this to prevent people from accessing email on your PC. So much time passes or so much inactive time passes and the cookie expires and forces a new log on.
Your site is broken and you're using an excuse that isn't completely valid for all concerned. You're also arguing with past, present but I expect to be past cutomers and ensuring no future cutomers.
Thanks for reading up on these complaints. I can assure you that when I saw another person's information that it was not from a shared link.
I think that if you took the time to make adjustments on your end you would see an increase in business. This issue has been one of the only knocks against your business and it has been what prevents me from ordering with your company...
Thanks,
Lee
First I would like to say that we appreciate all of you bringing these issues to our attention. It is because we know that we are not perfect, and because we care, that we search for postings like these. We want to know what people think, so that we can provide the best service possible, whether it is in regards to our website, our products, our customer service, or anything else. As for Customer Service, we have more than tripled our staff and are responding to all calls and emails.
At is clear by now, I am not enlightened to all of the technical aspects of all of this. It is my job to find issues like these, and bring them to the attention of our developers and IT staff.
What was originally designed as a convenience feature, but could have been better thought out, became an issue that was brought to our attention by people like and including all of you. Session IDs retaining shipping information, so that returning customers did not have to enter it again, were indexed by google and yahoo, and so you are correct that you were able to access them in that way. Once we realized this, we changed the system so that the Session IDs no longer retain any information. We have also worked with google and yahoo to ensure that Session IDs are not indexed, and any that are currently indexed be removed.
We apologize to anyone who's shipping information may have been shared, and I guarantee that we are constantly working to completelty fix this, as well improve every aspect of our company.
Danny
http://photos.mikelanestudios.com/
Glass: >Sigma 17-35mm,f2.8-4 DG >Tamron 28-75mm,f2.8 >Canon 100mm 2.8 Macro >Canon 70-200mm,f2.8L IS >Canon 200mm,f2.8L
Flash: >550EX >Sigma EF-500 DG Super >studio strobes
Sites: Jim Mitte Photography - Livingston Sports Photos - Brighton Football Photos
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam
http://www.mcneel.com/users/jb/foghorn/ill_shut_up.au
Thanks for taking this seriously and having the courage to come back and admit that there was a mistake. That has just earned my business...
BTW, you should stick around here...
Thanks again...
Lee
Now, this is a much better answer
SessionIDs can perfectly retain any information you like, as long as the SessionID is not an encoding of the actual data (if so, decoding would be too simple and therefore unsecure) and it should not be shared 'inside' a URL. Instead, it should be a key, a unique identifier into a database row stored, preferrably, inside a cookie.
This key/SessionID should generated upon the user's login and serve as a authorization check.
This key/SessionID is then used to authorize subsequent page-requests and the user-id is used to lookup the user's info and present his/her data (only if authorization was successful).
Additional security checks could be done as well (IP verification across one session, session time-outs, etc.)
When I hear the earth will melt into the sun,
in two billion years,
all I can think is:
"Will that be on a Monday?"
==========================
http://www.streetsofboston.com
http://blog.antonspaans.com