Lloyd Hazlett

Our congratulations to everyone at Big Brown Box, who were the winners of the inaugural Best Site Design award last week at the Online Retailer Industry Awards 2010. The awards were extremely competitive and drawn from over 170 nominated online businesses around Australia; the Best Site Design category in particular boasted some of the most innovative online retailers in the Australian market.

Earlier versions of Magento were susceptible to a form of session fixation vulnerability, which can have quite serious consequences even without anyone trying to exploit it maliciously. Visitors may unwittingly follow a link to a Magento site, and be logged in as another user without performing any actions. This results in multiple visitors sharing a session and causes confusion as they add and remove things from the same cart, and potentially even allows them to view another customer's details and place orders under their account. Luckily the issue has a simple fix in version 1.4 and later, but in this post we'll also detail a precaution that can be taken to guard against this in earlier versions.

The Magento Connect system is a vital part of the Magento ecosystem and has had a lot of success since it launched a bit more than a year ago. As always, there is room for improvement and hence we were very glad to see Varien provide the community with an opportunity to participate in the future direction of the system by running two surveys, one for extension users, and one for extension developers. At the time of writing, we have fourteen community extensions and one commercial application listed on Connect, and the evolution of this service is something we have quite a few thoughts on. We completed the survey and thought we'd share our ideas on how 2.0 can take Connect to even greater heights. Read on for our suggestions from a developer perspective.