Item Added to Cart is in All Users' Carts

I login; it doesn't matter which user I use to login.
I add an item to the cart.
I navigate to the cart and see the item in the cart (seems fine so far).
Then I logout that user and login as another user.
I navigate to the cart and it has the same item I added under another user. It shouldn't have any items in it.

Any idea of what might cause this? I'm just using the built in Shopping Cart and Product Listing widgets.

Hi Casey,

Yes there is a known issue logging in with one user, adding products to your shopping cart and then logging out and logging in with another user. The products associated with the original user will still be in the shopping cart.

The shopping cart is stored as a cookie on the machine and is not associated with the user id of the person who is logged in at the moment. So if two people are sharing a machine, both of them will be able to see the products in the shopping cart. This shouldn't cause an issue with the checkout because each user would have to enter in their own credit card information in order to checkout.

Currently the workaround for this would be for the user who doesn't want those products in their cart to delete the unwanted products out of their cart and proceed.

We will be looking address this issue in a future release. My apologies for any inconvenience this causes you.

Greetings,
Grace Hallwachs
the Telerik team

Wow.  How could something this basic have made it through QC for 2 releases?  This can't inspire much confidence about security for the shopper.  As a shopper using a site with this type of bug I'd wonder what other information about my shopping session is being leaked to other shoppers using the same machine.  Not good.

When can we expect this to be fixed?  "A future release" really isn't an acceptable answer.

Steve

Hey Steve,

It didn't make it through QC for 2 releases, it was flagged just not fixed. I've tested and rechecked CC information etc myself. Everything is stored secure in the db for the order process, it's just the shoppingcart 'guid' that is a cookie.

Most ecommerce systems use a cookie to store a shoppingcart id, so in case of browser closing you can resume shopping on the next time you browse to the site. Most of the time 'as users' we just don't notice this, but now as developers we are suddenly aware of this. 

Yes there are other/better ways to store a guid to retrieve a browser session and I'm sure they'll get it fixed. It's in no way a security issue, because for 'ordering' (instead of shoppingcart) you need to be logged in (username/password) and anonymous checkouts don't store this kind of information.

Jochem.

Hello Steve,

User based shopping carts will be a feature that we implement towards the end of this year. Also there is no security threat or issue with cookie based shopping carts as cookies are tracking the products in the shopping cart and not tracking any kind credit card information.

I have submitted a feature request on your behalf. You can follow its progress in PITS and vote for its popularity. Based on the popularity among the community we may raise the priority of this task. 

Regards,
Grace Hallwachs
the Telerik team

This is more than just a minor inconvenience. In IE9 this ends up causing a loop.

1. Click on Item in Product List page - transfers you ro ProductDetails page.
2. Product Details Page already has items in it from previous session
3. Add an item to the cart on Product Details Page. I have a Mini-Cart on the page, the new Product Item shows up in the minicart.
4. Click on Link for ShoppingCart page - IE goes crazy, flashing on and off as it cycles through some loop to fast to even finish loading the page.
5. If you click Checkout page instead it says "Nothing in the Cart"

This has killed IE for testing purposes.

How do I clear the OLD SESSION CART STUFF out of the browser?

@Rick,

Sounds like you're having multiple issues at once.

First, by the sound of it, you've not turned caching off on the shoppingcart/product detail/checkout pages. According to the documentation you should, and that's why you're seeing the mixed up cart/checkout information.
(Page Overview >> Title & Properties >> Advanced options >> set to "No Caching")

IE(9) here on Sitefinity v4.4 doesn't go crazy or ends in a loop. Not even when I set the catalog page to itself. So as a blonde and blunt suggestion, have you tried creating a blank page (no theme/no masterpage widgets) and toss a shoppingcart widget on there with a default template to verify it's not a custom issue?

That the checkout says you've got nothing in your cart is also due to the caching issue mentioned before.

Jochem, thanks for the suggestions. I hadn't set all the Ecommerce pages to No Cache (though that didn't seem to create any problems using the store in FF, Safari or Chrome). It may be just that I had abandoned a cart in IE that was still present and I did not have an abandoned cart in any of the other browsers.

I added an empty page with a Cart on it. In opening that test page in IE it was immediately populated with the previous abandoned items. I was able to remove the items but when I went back in and added an item in IE the loop took over again so the cart was being refilled with something in the IE cache. I had to completely clear the IE cache and temp files to stop this from happening. That fixed it and everything is working OK in IE now. Thanks.

Side Note: This might be a cultural phrase choice, but I have blonde hair so I'd rather not see blonde remarks on a Tech Support site. Thanks.

@Rick

Apologies for offending you, being a 'blonde' myself I always used it as a 'humoristic phrase' without trying to or meaning to offend someone. Its just my way of saying 'I'm not a senior developer, but have you tried this...' but I will refrain from using it in the future.

Jochem.

Hello Rick,

Please let us know if your issue has been resolved or if you need anymore assistance.

Kind regards,
Grace Hallwachs
the Telerik team

Thanks Grace and Jochem, that takes care of everything.