Vulnerability in EPiServer.Forms
Hello Opti folks,
I am trying to troubleshoot an issue related to commerce carts getting randomly wiped out.
We currently allow guest checkout. The users add items to the cart, we use CustomerContext Contact ID to load or create cart which then gets saved to the database. I know for anonymous users it uses the ".ASPXANONYMOUS" cookie to set the context which has a 60 day expiry. However, sometimes the cookie gets refreshed randomly and the user's cart gets wiped out (new cart returned). Has anyone else experienced this issue, and if yes what's the best practice?
<anonymousIdentification enabled="true" />
var cart = _orderRepository.LoadOrCreateCart<ICart>(CustomerContext.Current.CurrentContactId, OrderNames.Default);
Do you have any clue if the problem is that the cookie is removed by the client or if the client is given a new cookie by the server?
Anyway, please verify that it's not a machine key issue as I wrote about in the other thread: https://world.optimizely.com/forum/developer-forum/Commerce/Thread-Container/2019/1/if-user-is-logged-in-via-azure-the-_customercontext-currentcontactid-changes-constantly-for-user--why-is-that/#276855
A new cookie is given by the server. You maybe right about the machine key but we have seen instances where the user is active in a session and sometime during their active session their cart is emptied (due to new ASPXANONYMOUS cookie (though expiry date is 69 days). I know the cookie refreshes half way through the timeout period by default but I don't think that's the case.