Forum management
- Threads started by me
- Threads I participate in

Developer forum

Security issue: Every user can see my order details

E-mail notifications

Jose Caudevilla

Posted on 02/07/2020 15:02:09

Hello:

In my website i send a complete order mail when users complete an order.

This mail contains a button link to the resume order page.

The link format is like this:

/cart?CompletedOrderId=ORDER1333&CompletedOrderSecret=xxxxxxxxxxxxxx

If other person gets this link he can see my order and user info.

How can i configure my cart app to dont allow to see my order info to external users?

Kind regards,

Jose

Replies

Morten Bengtson

Posted on 02/07/2020 16:10:22

Hi Jose,

Are you concerned that someone else is reading your emails or that someone might guess the order secret?

Anyway. You can't disable that feature on the shopping cart.

Here are some options...

A) You can change the email template to not include that link.
If the customers have a user account then you can replace the link with a link to a page with customer center app where orders can be displayed after logging in.

B) You can change the template used on the order confirmation page to not include any sensitive/personal information.

Let us know if you have any suggestions for improving the security.

Best regards,
Morten

You must be logged in to post in the forum