Major Bug in create order in "order" application

> Hi,
>
> I recently discovered there was a major bug in the create order in the
> 'Order' application. To reproduce the buy, please do as following:
>
> Login to the admin side and select 2 different party in the 'party'
> application in 2 different browser windows and proceed to create a order
> for, say party A, in window A. Now when you are in the last screen to
> confirm/create order, just stop there and do not press the submit button.
>
> Now, in window 2, for party B, proceed just aas above and stop in the last
> page before submitting the order.
>
> Now, select the window 1 and press the submit order button for party A.
>
> This should have create a order for party A, with the items contained in
> shopping cart of party A, but you will probably see that the shipping
> address associate with the order is that of party B.
>
> In substance, if one tries to create orders simultaneoulsy in the 'order'
> application, ofbiz may throw un-expected results. And this is not just a
> bug, but a huge security issue too.
>
> Please do let me know if it happens for others too, in which case i will
> open a JIRA issue for the same.
>
> Thanks,
>
> Rohit
>
>  

> I tried this steps and found the same behavior.I think this is a
> bug.Please correct if we are wrong some where.
>
> Divesh
>> Hi,
>>
>> I recently discovered there was a major bug in the create order in the
>> 'Order' application. To reproduce the buy, please do as following:
>>
>> Login to the admin side and select 2 different party in the 'party'
>> application in 2 different browser windows and proceed to create a order
>> for, say party A, in window A. Now when you are in the last screen to
>> confirm/create order, just stop there and do not press the submit
>> button.
>>
>> Now, in window 2, for party B, proceed just aas above and stop in the
>> last
>> page before submitting the order.
>>
>> Now, select the window 1 and press the submit order button for party A.
>>
>> This should have create a order for party A, with the items contained in
>> shopping cart of party A, but you will probably see that the shipping
>> address associate with the order is that of party B.
>>
>> In substance, if one tries to create orders simultaneoulsy in the
>> 'order'
>> application, ofbiz may throw un-expected results. And this is not just a
>> bug, but a huge security issue too.
>>
>> Please do let me know if it happens for others too, in which case i will
>> open a JIRA issue for the same.
>>
>> Thanks,
>>
>> Rohit
>>
>>  
>

> Guys ,  i  followed  the  steps  to trace  the  behavior. To be more  
> precise  i  took these steps :
> 1. Used  two  different  browser  windows.
> 2. Used two different parties and simultaniously moved forward to  
> create order.
> Result :
> Only one order gets created ( the first one ) and the second browser  
> gives the error message. According to me there is nothing unexpected  
> in this , it will be great for me if you can elaborate the behavior  
> noticed by you.
>
> Regards
> - -
> Deepesh
>
> Divesh Dutta wrote:
>> I tried this steps and found the same behavior.I think this is a  
>> bug.Please correct if we are wrong some where.
>>
>> Divesh
>>> Hi,
>>>
>>> I recently discovered there was a major bug in the create order in  
>>> the
>>> 'Order' application. To reproduce the buy, please do as following:
>>>
>>> Login to the admin side and select 2 different party in the 'party'
>>> application in 2 different browser windows and proceed to create a  
>>> order
>>> for, say party A, in window A. Now when you are in the last screen  
>>> to
>>> confirm/create order, just stop there and do not press the submit  
>>> button.
>>>
>>> Now, in window 2, for party B, proceed just aas above and stop in  
>>> the last
>>> page before submitting the order.
>>>
>>> Now, select the window 1 and press the submit order button for  
>>> party A.
>>>
>>> This should have create a order for party A, with the items  
>>> contained in
>>> shopping cart of party A, but you will probably see that the  
>>> shipping
>>> address associate with the order is that of party B.
>>>
>>> In substance, if one tries to create orders simultaneoulsy in the  
>>> 'order'
>>> application, ofbiz may throw un-expected results. And this is not  
>>> just a
>>> bug, but a huge security issue too.
>>>
>>> Please do let me know if it happens for others too, in which case  
>>> i will
>>> open a JIRA issue for the same.
>>>
>>> Thanks,
>>>
>>> Rohit
>>>
>>>
>>
>

> Deepesh,
> Can you confirm that you used
> 1) Two different browsers like firefox and IE
> 2) Check URL if sessionId of two windows was same.
>
> In case if sessionid of both windows is same then consider this as  
> normal behavior. This issues is resolved by some frameworks by  
> introducing conversation scope.
>
> Regards
> Anil Patel
>
>
> On Feb 9, 2009, at 8:05 AM, Deepesh Kapoor wrote:
>
>> Guys ,  i  followed  the  steps  to trace  the  behavior. To be  
>> more precise  i  took these steps :
>> 1. Used  two  different  browser  windows.
>> 2. Used two different parties and simultaniously moved forward to  
>> create order.
>> Result :
>> Only one order gets created ( the first one ) and the second  
>> browser gives the error message. According to me there is nothing  
>> unexpected in this , it will be great for me if you can elaborate  
>> the behavior noticed by you.
>>
>> Regards
>> - -
>> Deepesh
>>
>> Divesh Dutta wrote:
>>> I tried this steps and found the same behavior.I think this is a  
>>> bug.Please correct if we are wrong some where.
>>>
>>> Divesh
>>>> Hi,
>>>>
>>>> I recently discovered there was a major bug in the create order  
>>>> in the
>>>> 'Order' application. To reproduce the buy, please do as following:
>>>>
>>>> Login to the admin side and select 2 different party in the 'party'
>>>> application in 2 different browser windows and proceed to create  
>>>> a order
>>>> for, say party A, in window A. Now when you are in the last  
>>>> screen to
>>>> confirm/create order, just stop there and do not press the submit  
>>>> button.
>>>>
>>>> Now, in window 2, for party B, proceed just aas above and stop in  
>>>> the last
>>>> page before submitting the order.
>>>>
>>>> Now, select the window 1 and press the submit order button for  
>>>> party A.
>>>>
>>>> This should have create a order for party A, with the items  
>>>> contained in
>>>> shopping cart of party A, but you will probably see that the  
>>>> shipping
>>>> address associate with the order is that of party B.
>>>>
>>>> In substance, if one tries to create orders simultaneoulsy in the  
>>>> 'order'
>>>> application, ofbiz may throw un-expected results. And this is not  
>>>> just a
>>>> bug, but a huge security issue too.
>>>>
>>>> Please do let me know if it happens for others too, in which case  
>>>> i will
>>>> open a JIRA issue for the same.
>>>>
>>>> Thanks,
>>>>
>>>> Rohit
>>>>
>>>>
>>>
>>
>

> In short, this isn't a bug, it sounds like its an expectation of a  feature that is not implemented yet.
>
> If someone wants to work on this it would be cool, and has certainly  been discussed many times. The easiest way would be to have
> a List of  carts in the session and a screen to change which one is the "active"  cart, and to create a new/empty active cart.
>
> -David
>
>
> On Feb 9, 2009, at 9:10 AM, Anil Patel wrote:
>
>> Deepesh,
>> Can you confirm that you used
>> 1) Two different browsers like firefox and IE
>> 2) Check URL if sessionId of two windows was same.
>>
>> In case if sessionid of both windows is same then consider this as  normal behavior. This issues is resolved by some frameworks
>> by  introducing conversation scope.
>>
>> Regards
>> Anil Patel
>>
>>
>> On Feb 9, 2009, at 8:05 AM, Deepesh Kapoor wrote:
>>
>>> Guys ,  i  followed  the  steps  to trace  the  behavior. To be  more precise  i  took these steps :
>>> 1. Used  two  different  browser  windows.
>>> 2. Used two different parties and simultaniously moved forward to  create order.
>>> Result :
>>> Only one order gets created ( the first one ) and the second  browser gives the error message. According to me there is nothing
>>> unexpected in this , it will be great for me if you can elaborate  the behavior noticed by you.
>>>
>>> Regards
>>> - -
>>> Deepesh
>>>
>>> Divesh Dutta wrote:
>>>> I tried this steps and found the same behavior.I think this is a  bug.Please correct if we are wrong some where.
>>>>
>>>> Divesh
>>>>> Hi,
>>>>>
>>>>> I recently discovered there was a major bug in the create order  in the
>>>>> 'Order' application. To reproduce the buy, please do as following:
>>>>>
>>>>> Login to the admin side and select 2 different party in the 'party'
>>>>> application in 2 different browser windows and proceed to create  a order
>>>>> for, say party A, in window A. Now when you are in the last  screen to
>>>>> confirm/create order, just stop there and do not press the submit  button.
>>>>>
>>>>> Now, in window 2, for party B, proceed just aas above and stop in  the last
>>>>> page before submitting the order.
>>>>>
>>>>> Now, select the window 1 and press the submit order button for  party A.
>>>>>
>>>>> This should have create a order for party A, with the items  contained in
>>>>> shopping cart of party A, but you will probably see that the  shipping
>>>>> address associate with the order is that of party B.
>>>>>
>>>>> In substance, if one tries to create orders simultaneoulsy in the  'order'
>>>>> application, ofbiz may throw un-expected results. And this is not  just a
>>>>> bug, but a huge security issue too.
>>>>>
>>>>> Please do let me know if it happens for others too, in which case  i will
>>>>> open a JIRA issue for the same.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Rohit
>>>>>
>>>>>
>>>>
>>>
>>
>

> From: "David E Jones" <[hidden email]>
>> Notice that there is no way to see a list of orders being worked on  
>> or  switch between them. What you are imagining should work, ie  
>> different  orders in different windows, would only be the case (as  
>> Anil  mentioned) if those different windows used different  
>> sessions... which  they don't. To get a different session you must  
>> have a different user,  a different browser, or find some place in  
>> the applications where the  jsessionid is lost from one page to  
>> another (which WOULD be a bug).
>
> This is something special to Firefox. With Chrome you don't have  
> this "issue", any tabs is a session. Actually I'm still using FF3  
> since there is so much more with plugins than this very specific  
> feature of Chrome.

> On Feb 9, 2009, at 10:38 PM, Jacques Le Roux wrote:
>
>> From: "David E Jones" <[hidden email]>
>>> Notice that there is no way to see a list of orders being worked on  or  switch between them. What you are imagining should
>>> work, ie  different  orders in different windows, would only be the case (as  Anil  mentioned) if those different windows used
>>> different  sessions... which  they don't. To get a different session you must  have a different user,  a different browser, or
>>> find some place in  the applications where the  jsessionid is lost from one page to  another (which WOULD be a bug).
>>
>> This is something special to Firefox. With Chrome you don't have  this "issue", any tabs is a session. Actually I'm still using
>> FF3  since there is so much more with plugins than this very specific  feature of Chrome.
>
> Actually I'd guess this is an issue with all browsers except Chrome.  One of the unique "features" of Chrome is that every window
> is  actually a separate running instance of the program (was advertised as  something to avoid a problem in one window bringing
> down others), and  I guess this would be a side-effect of that. AFAIK there aren't any  other browsers that are that way.

> From: "David E Jones" <[hidden email]>
>> On Feb 9, 2009, at 10:38 PM, Jacques Le Roux wrote:
>>
>>> From: "David E Jones" <[hidden email]>
>>>> Notice that there is no way to see a list of orders being worked  
>>>> on  or  switch between them. What you are imagining should
>>>> work, ie  different  orders in different windows, would only be  
>>>> the case (as  Anil  mentioned) if those different windows used
>>>> different  sessions... which  they don't. To get a different  
>>>> session you must  have a different user,  a different browser, or
>>>> find some place in  the applications where the  jsessionid is  
>>>> lost from one page to  another (which WOULD be a bug).
>>>
>>> This is something special to Firefox. With Chrome you don't have  
>>> this "issue", any tabs is a session. Actually I'm still using
>>> FF3  since there is so much more with plugins than this very  
>>> specific  feature of Chrome.
>>
>> Actually I'd guess this is an issue with all browsers except  
>> Chrome.  One of the unique "features" of Chrome is that every window
>> is  actually a separate running instance of the program (was  
>> advertised as  something to avoid a problem in one window bringing
>> down others), and  I guess this would be a side-effect of that.  
>> AFAIK there aren't any  other browsers that are that way.
>
> Something to note also, I don't know for other browsers, but if you  
> open several instances of Firefox using the same profile (in  
> different windows as opposed to tabs in the same window) Firefox  
> does not open another session.
> Actually Firefox used only one process for all its windows. It's a  
> feature some softwares allow you to choose or not (only 1
> instance) Firefox forces it. You can change but AFAIK not from  
> inside Firefox (using about:config)
> If interested Google for "allow firefox multi instances"

>> Something to note also, I don't know for other browsers, but if you  open several instances of Firefox using the same profile (in
>> different windows as opposed to tabs in the same window) Firefox  does not open another session.
>> Actually Firefox used only one process for all its windows. It's a  feature some softwares allow you to choose or not (only 1
>> instance) Firefox forces it. You can change but AFAIK not from  inside Firefox (using about:config)
>> If interested Google for "allow firefox multi instances"
>
> Yes that is the traditional behavior for Firefox. What about other  browsers like IE, Opera, Safari, etc?
>
> What I'm saying is that this isn't just the behavior for Firefox, all  browsers except Chrome have historically behaved this way
> and it is  only recently that any of them even considered doing something  different.

> From: "David E Jones" <[hidden email]>
>>> Something to note also, I don't know for other browsers, but if you  open several instances of Firefox using the same profile
>>> (in different windows as opposed to tabs in the same window) Firefox  does not open another session.
>>> Actually Firefox used only one process for all its windows. It's a  feature some softwares allow you to choose or not (only 1
>>> instance) Firefox forces it. You can change but AFAIK not from  inside Firefox (using about:config)
>>> If interested Google for "allow firefox multi instances"
>>
>> Yes that is the traditional behavior for Firefox. What about other  browsers like IE, Opera, Safari, etc?
>>
>> What I'm saying is that this isn't just the behavior for Firefox, all  browsers except Chrome have historically behaved this way
>> and it is  only recently that any of them even considered doing something  different.
>
> On Windows it's clear for Opera (allow to open only one intance/window anyway) and Safari (tnough less clear from UI POV, same
> behaviour than FF). But less for IE8 as it opens 2 processes under a sole task (Windows terminology). In IE case I did not find
> quickly any clear answers about session on Google...
>
> Jacques
>
>> -David
>>
>

> On Feb 9, 2009, at 11:39 PM, David E Jones wrote:
>
>>
>> If someone wants to work on this it would be cool, and has  
>> certainly been discussed many times. The easiest way would be to  
>> have a List of carts in the session and a screen to change which  
>> one is the "active" cart, and to create a new/empty active cart.
>>
>> -David
>
> Actually I partially implemented this some time ago, and the code is  
> in the OFBiz trunk, if I am not wrong.
> The only thing we still don't have is the ui to show all the carts  
> (aka active orders) in the session and let the user to pick one of  
> them: I did it in a custom ui for a customer but of course that part  
> was never contributed.