Volusion Security Issue “Not Me”

While working on a customer’s Volusion site, I needed to log in as a test customer who was set at one Discount_Price_Level, then log out, and see if the same code worked for customers who were not logged in.

Since the code I was testing involved displaying prices to customers based on level.  It should have displayed and calculated orders using the retail prices only to anyone who wasn’t logged in.  The same code should have displayed a discounted price to logged in users who had a discount price level set.

There was a problem. After being logged in as a user with a discount price level set,  I logged out using the link at the bottom of the My Account page labeled:

I’m done managing my account, log me out.

…but, this doesn’t completely log the user it out.   Clicking the link tells you you’re logged out — but if the store has set the config setting:

Config_HomePage_EnableWelcomeText

and you return to the home page, you’ll see a message like-

Welcome John Smith, (If you’re not John Smith, click here.)

At first I thought it was solely a cookie issue, and that Volusion software should be deleting the cookie when I logged out, so maybe it was my browser needed to be refreshed.  Nope.  It didn’t matter.  It appears the basic logout does not fully destroy the session, and that Volusion cookies are tied to some server side .ASP session data — in effect, your Volusion store will remember a customer and welcome them back.  (This can be be useful if you have frequent return customers).

But, imagine a kiosk or terminal in a retail store which allows shoppers to look up products on the store’s online Volusion ecommerce website.  (Sears, Best Buy and many other retailers now have public internet capable terminals that shoppers use in-store — there is no reason a Volusion store owner could not do the same thing to allow customers to compare models, get extended information, or order items that are not in stock in the location they are at).

Another situation could be a PC setup at a trade-show so people can browse the vendor’s online (Volusion) store, and maybe place orders directly from the trade-show booth.

In either case, it’s very likely that the next person to use the computer, (terminal, kiosk, etc), to access the Volusion store will not be “John Smith“.

If John Smith was an employee, a dealer or someone who had a wholesale or other type of discount price level set,  the next person to use the computer would see the discount prices that should only be displayed to “John Smith“.

So.. I called Volusion.  I don’t know if they’ll fix it, or where else there are logout links within a store which don’t fully destroy the user’s session, (the one in the top right of the Admin screen doesn’t either)… so I figured the “click here” link in the welcome message at the top of the home page was a clue, (it knew my name, and gave the option to do something “if I wasn’t me”)...

Welcome Randy Harris, (If you’re not Randy Harris, click here.)

The “click here” link also called /login.asp, but calls it with the query string logout=notme, which appears to more fully log the customer out

https://www.example.com/login.asp?logout=notme

So, now the trick was to get the link on the MyAccount.asp page to also issue the “notme” logout command.  Since this page is not editable in Voluson v.5, (it’s part of Volusion’s generated virtualized code), so I used some Javascript DOM manipulation to replace the logout link’s URL with the “notme” query value.

Copy, paste, and edit the code, (below), to reference your store’s domain.

The code should be placed just before the closing </body> tag in your Volusion template which will patch the problem until Volusion fixes it.

<!-- START: JS to fix logout -->
<script type="text/javascript">
if(location.href.indexOf('MyAccount.asp') != -1) {
  var links=document.getElementsByTagName('a');
  for (var i=0;i<links.length;i++){
    if(links[i].href == 'http://www.example.com/login.asp?logout=yes') {
      links[i].href = 'http://www.example.com/login.asp?logout=notme';
    }
    if(links[i].href == 'https://www.example.com/login.asp?logout=yes') {
      links[i].href = 'https://www.example.com/login.asp?logout=notme';
    }
  }
}
</script>
<!-- END: JS to fix logout -->

Note:  if you locate other logout links in your store’s design check to be sure they are using the “logout=notme” query string, otherwise, you can duplicate lines from the code above and modify to match other pages and links within your site.

This fix is needed if  there is any chance that multiple customers of your online store may use the same computer, (kiosk or public access terminal, etc), and you use Discount Price Levels, Special Areas, etc, and don’t want to risk making private information public.

###

Posted in eCommerce, Volusion Tagged with: , , , , , ,