apache

Earlier versions of Magento were susceptible to a form of session fixation vulnerability, which can have quite serious consequences even without anyone trying to exploit it maliciously. Visitors may unwittingly follow a link to a Magento site, and be logged in as another user without performing any actions. This results in multiple visitors sharing a session and causes confusion as they add and remove things from the same cart, and potentially even allows them to view another customer's details and place orders under their account. Luckily the issue has a simple fix in version 1.4 and later, but in this post we'll also detail a precaution that can be taken to guard against this in earlier versions.

Sometimes, the unthinkable happens and an error occurs in your Magento system, causing everything to come grinding to a halt. Magento handles this by displaying a styled error page, which is better looking than a white page full of error text. However, the error page still doesn't look very professional, and potentially discloses information that could be abused by a malicious user. This post details a method for using a custom error page, and outlines some of the benefits of doing so.