I used them. I was happy with the quality and cost as I know many have been.

I just received an email from someone I don't know who was kind enough to tell me that when she clicked on the free samples button on their site, my info is filled in. My name, street adress, email, it's all there.

I'm not a happy camper.

I just emailed them and I'm awaiting a reply.

This is unnaceptable. It's bad enough when a business doesn't practice security and gets info stolen, but to put it out on the web. Avoid this site!

I used them. I was happy with the quality and cost as I know many have been.

I just received an email from someone I don't know who was kind enough to tell me that when she clicked on the free samples button on their site, my info is filled in. My name, street adress, email, it's all there.

I'm not a happy camper.

I just emailed them and I'm awaiting a reply.

This is unnaceptable. It's bad enough when a business doesn't practice security and gets info stolen, but to put it out on the web. Avoid this site!

I just went there (I've been a customer, too, I'm a satisfied customer)...

Tried the samples thing in safari and firefox - got blanks to fill in, that's all..

Was she using your computer?

Funny. No. I never heard of her. She actually had a screen shot.

Funny. No. I never heard of her. She actually had a screen shot.


Weird - seems like it's fixed though. Similar thing happened to B&H about a month or so ago. Not good.

Weird - seems like it's fixed though. Similar thing happened to B&H about a month or so ago. Not good.
Agreed. I am to the point now that I no longer allow an online vendor to store my credit card information. (do all vendors give you this option?). I'm even considering trying to get it removed from some vendors who currently have my CC information that are normally trustworthy, such as Amazon, just in case.

Goodbye one-click ordering for Bill... :(

Weird - seems like it's fixed though. Similar thing happened to B&H about a month or so ago. Not good.
FYI... I don't believe that it is fixed. I just clicked on "free samples" and it came up with someone's personal info. No credit card, but mailing address/e-mail...

Hopefully they will get this looked after...

Lee

What is their website, I want to try!

I still haven't received a reply back either. Very troubling.

FYI... I don't believe that it is fixed. I just clicked on "free samples" and it came up with someone's personal info. No credit card, but mailing address/e-mail...

Hopefully they will get this looked after...

LeeSince that was my info I'm kind of ticked off. http://dgrin.com/images/smilies/xxbah.gif Once I get a good nights sleep I will be communicating with those good folks tomorrow. http://dgrin.com/images/smilies/2ar15smilie.gif

I just went there (I've been a customer, too, I'm a satisfied customer)...

Tried the samples thing in safari and firefox - got blanks to fill in, that's all..

Was she using your computer?
Just had a look

...i ordered you 3 x 5d's on Steve Cav's credit card to arrive in sequence 3 months apart so you wont have to re-order after each sale.

I still haven't received a reply back either. Very troubling.Bad news mate...just keep one fist closed behind your back in the event that the person whom contacted you is not a scammer.

Well... Although it sounds like they have a good product for a reasonable price, it still makes me a little nervous. I was actually going to get some samples when I saw that information still there...

I gave them a call and left a message. It just wasn't with the "Free Samples" link either. I clicked on the "Contact Us" button after I saw your info Harry and I saw the message that *YOU* left them. Very disturbing...

Anyway, I sent you an e-mail about it Harry and some screen captures. It definately makes you wonder...

Thanks...

Lee

Since that was my info I'm kind of ticked off. http://dgrin.com/images/smilies/xxbah.gif Once I get a good nights sleep I will be communicating with those good folks tomorrow. http://dgrin.com/images/smilies/2ar15smilie.gif

Well... Although it sounds like they have a good product for a reasonable price, it still makes me a little nervous. I was actually going to get some samples when I saw that information still there...

I gave them a call and left a message. It just wasn't with the "Free Samples" link either. I clicked on the "Contact Us" button after I saw your info Harry and I saw the message that *YOU* left them. Very disturbing...

Anyway, I sent you an e-mail about it Harry and some screen captures. It definately makes you wonder...

Thanks...

Lee I was just reading this thread and am glad I didn't make an order last night from them as I was about to. I noticed that Harry's info was still on the sample and the contact us screens and that it has been a couple of days since Harry's post and since Lee's post.

I am just wondering if anyone had heard anything from the company yet as to why it hasn't been fixed yet or when they plan on fixing it. I had planned on ordering some cards this week but I think I may be looking for another company to use.

I was just reading this thread and am glad I didn't make an order last night from them as I was about to. I noticed that Harry's info was still on the sample and the contact us screens and that it has been a couple of days since Harry's post and since Lee's post.

I am just wondering if anyone had heard anything from the company yet as to why it hasn't been fixed yet or when they plan on fixing it. I had planned on ordering some cards this week but I think I may be looking for another company to use.

3 machines, two different browsers - I never saw anything except blank input screens. (Safari, and Firefox). Is this IE only?

I used them. I was happy with the quality and cost as I know many have been.

I just received an email from someone I don't know who was kind enough to tell me that when she clicked on the free samples button on their site, my info is filled in. My name, street adress, email, it's all there.

I'm not a happy camper.

I just emailed them and I'm awaiting a reply.

This is unnaceptable. It's bad enough when a business doesn't practice security and gets info stolen, but to put it out on the web. Avoid this site!I've seen this happening... not right now on http://www.overnightprints.com (http://www.overnightprints.com/) but on other sites (although those were not out in the real world, just test-sites). This is most likely their problem:

They have a bunch of machines (servers) running the online front store. When you start using it, fill in info, etc, the front-store application needs to establish a session. The session holds a identifier that points to - most likely - a database that holds your info (last information uploaded, shopping cart contents, etc.). The session-identifier is stored on your computer in a cookie. The value of the identifier is generated by the front-store application. The session-identifier is then used to obtain the information that is specific to you when you move from page to page.

Most front-store applications are running on more than one machine, to spread the load. Sometimes this can cause the session-identifier of one customer(/browser) to be assigned to another customer(/browser). This, of course is a bug in their system, but i could happen. This means, that when you go to the next page, you see contents that would have been shown to another customer (cross-assignment of sessions).

This is a SEVERE bug. It is best to notify Overnight Prints immediately. If this bug caused some customers to have their info stolen or, even worse, have some of their money stolen, Overnight Prints can be in for a lot of trouble (pissed of customers, bad press, litigation, etc.)

Hi y'all,

I contacted Overnightprints about my info being displayed. I first attempted a phone contact and it want like this

ring
Recorded voice: "you are the second caller on line for a service rep."
some god awful music

Voice: "hey my name is Kevin"
Me: "This is in reference to a a completed order"
click
Recorded voice: "you are called number 29"
god awful music
after minutes a Recorded voice "You are number 28"
I hang up

I did receive this e-mail today in response to me e-mmails ent two days earlier

"Good Day,
We do not collect and post information on our site. If the site is
retaining information it is due to your settings. Not ours. Verisign is
a secure site and deletes all of the CC info once it has been processed.
If you wish to change your setting you must go to Tools>Internet Options
and under Security, Privacy and Advanced you should be able to change
your settings. However this will delete and not store any information
when you visit any site as well as drop down boxes(ie. typing similar
info and matches pop up below). I hope this was helpful to you. Have a
good day!

We appreciate your patience and hope that you choose Overnight Prints
in the future for all your printing needs. If you have any additional
questions, do not hesitate to contact us.

Please include all previous correspondence and your order number when
contacting Overnight Prints.

Thank you,

Christine

Customer Support Representative
Overnight Prints
1800 East Garry Ave. Ste. 224
Santa Ana, CA 92705
service@overnightprints.com (service@overnightprints.com)
Support Line: 888-677-2000"

I feel better knowing that it is my problem and not theirs. They do have a point it is my problem because its my info that was being displayed. :bash
I will have my next order of business cards done locally.

I just see blanks to fill in on my Mac when I go to samples on overnightprints.

Slightly changing the subject, I never got a letter from the FBI or CIA either about the 30 illegal sites I visited (whatever illegal site means). I even read about it on Yahoo this morning. What illegal sites? I wanna go see them!:):

But I did get a notice that I won the Big Lottery in the UK. Checked the lottery site, but darn if the numbers listed didn't match the numbers in my e-mail. Other than that, it's a very cleverly done letter -- sure looks like the real thing! However, before I could write to Hillary my ISP sent an all domain e-mail out telling us it was a fishing expedition to get our bank information...

Sorry Harry that it was your information up there on the screen for the world to see.

Harry,

Your info is still up there... on the Contact Us part


:uhoh

Harry,

Your info is still up there... on the Contact Us part


:uhoh
also on the free sample section

I'm using IE

also on the free sample section

I'm using IE
I don't think it matters whether you use IE or not. Your and Harry's computer are not the same, it seems to be overnight-prints' problem.... Somehow you were assigned the session that was meant for Harry. So, everytime you go to overnight prints' site, it thinks you're Harry and will show you his information instead.

If they don't investigate this and send out e-mails like 'it is definately your fault, not ours', they may be in for a surprise.
-- Anton.

ok... this is what I did...

i went to the site... went to contact us.. plugged in some bogus info in hopes to get Harry's info off there...

can anyone verify what they see now?

Thank You,

Steven

P.S. I hope this helps Harry.

I just see blanks to fill in on my Mac when I go to samples on overnightprints.

Slightly changing the subject, I never got a letter from the FBI or CIA either about the 30 illegal sites I visited (whatever illegal site means). I even read about it on Yahoo this morning. What illegal sites? I wanna go see them!:):

But I did get a notice that I won the Big Lottery in the UK. Checked the lottery site, but darn if the numbers listed didn't match the numbers in my e-mail. Other than that, it's a very cleverly done letter -- sure looks like the real thing! However, before I could write to Hillary my ISP sent an all domain e-mail out telling us it was a fishing expedition to get our bank information...

Sorry Harry that it was your information up there on the screen for the world to see.
I does not happen on my system either. The problem described above likely happens only for a few visitors; the overnight-prints' servers mixing up their sessions. So, Harry, i don't think the world will see your info. But some people may (and actually are) see it.

ok... this is what I did...

i went to the site... went to contact us.. plugged in some bogus info in hopes to get Harry's info off there...

can anyone verify what they see now?

Thank You,

Steven

P.S. I hope this helps Harry.
You may have erased/modified Harry's info by doing this. Only Harry can verify this, and most likely only on the computer he used to visit overnight-prints.

You may have erased/modified Harry's info by doing this. Only Harry can verify this, and most likely only on the computer he used to visit overnight-prints.
I'm just looking for those who have seen the issue, to revisit the site and see what info they show... if any...

I'm just looking for those who have seen the issue, to revisit the site and see what info they show... if any...
Just went to the site and when I hit "contact us" I saw the info you entered so my stuff has been cleared. Thanks.

Just went to the site and when I hit "contact us" I saw the info you entered so my stuff has been cleared. Thanks.Harry and Steven, be sure to delete your cookies (from overnight-print's site). You are both still sharing the same session (although bogus data is now in it). Otherwise you may wind up ordering stuff for one another (and who knows who else) in the future :D .

Just went to the site and when I hit "contact us" I saw the info you entered so my stuff has been cleared. Thanks.
Glad I could help Harry :)

it doesn't solve the issue, but atleast doesn't put you out to as many people...

Harry and Steven, be sure to delete your cookies (from overnight-print's site). You are both still sharing the same session (although bogus data is now in it). Otherwise you may wind up ordering stuff for one another (and who knows who else) in the future :D .
cookie deleted

It is strange because I tried that the first time too (filling in the window forms with incorrect data in an attempt to mask Harry's valid info) and it only partially worked. Anyone else had problems recently?

I must admit that their response to Harry was not exactly what I would call, "customer service".

When I saw it the first time I even left them a detailed voice mail regarding the problem (including the order number) because I recognized Harry's name and I would have thought that they would have fixed it immediately...

I would like to give them a try but this whole episode doesn't exactly leave you with a good feeling...

What other alternatives are there with similar prices?

Thanks,

Lee



ok... this is what I did...

i went to the site... went to contact us.. plugged in some bogus info in hopes to get Harry's info off there...

can anyone verify what they see now?

Thank You,

Steven

P.S. I hope this helps Harry.

Good Afternoon,
Ladies and Gentlemen, after reading over your complaints, I can assure you that the problem has been fixed, as well very simple to avoid. At Overnight Prints, session ID's are used to make it easier for a person to track their product and information. It seems as if Khaos may have had a problem with incorrect emails, and for that Overnight Prints apologizes, but for the group of people who are seeing the same screen, that is due to sharing of links. If each of you had gone to the site on your own you would not be able to see others information. However, if someone enters their information and then shares the link to Overnight Prints with you, you will all be located on the same session. In order for this not to occur, all of you should clear your cookies and log onto www.overnightprints.com on your own without using a common link. This should clear it up. Overnight Prints does apologize for the confusion and the past customer service, and hopes that you consider using us in the future. Thanks!
Overnight Danny






I used them. I was happy with the quality and cost as I know many have been.

I just received an email from someone I don't know who was kind enough to tell me that when she clicked on the free samples button on their site, my info is filled in. My name, street adress, email, it's all there.

I'm not a happy camper.

I just emailed them and I'm awaiting a reply.

This is unnaceptable. It's bad enough when a business doesn't practice security and gets info stolen, but to put it out on the web. Avoid this site!

but for the group of people who are seeing the same screen, that is due to sharing of links. If each of you had gone to the site on your own you would not be able to see others information. However, if someone enters their information and then shares the link to Overnight Prints with you, you will all be located on the same session. In order for this not to occur, all of you should clear your cookies and log onto www.overnightprints.com on your own without using a common link.

You're kidding - right? I should think it would be your guys job to ensure that we dumb consumers don't do anything to compromise our personal information. IOW, we expect YOU to deal with this issue, despite our tendency to "share links" in the incorrect manner.

Food for thought - and I'm interested to see how you guys will deal with this.

You're kidding - right? I should think it would be your guys job to ensure that we dumb consumers don't do anything to compromise our personal information. IOW, we expect YOU to deal with this issue, despite our tendency to "share links" in the incorrect manner.

Food for thought - and I'm interested to see how you guys will deal with this.
Exactly Andy. We share links to B&H, Amazon and countless other places, and I can't say I have ever had a problem like this elsewhere. It is frightening that my personal info is preserved in a cookie that can transfer to someone else's machine. A cookie on my machine with my info is acceptable, but persisting that on the server? Yikes!

All the information was stored in the URL? That's just crazy! If I were to order from Overnight Prints would my credit card information be stored in the URL too??? Give me a break. You guys are going to have to get serious about security if you plan on getting people's e-commerce business.

In order for this not to occur, all of you should clear your cookies and log onto www.overnightprints.com on your own without using a common link. This should clear it up.
Danny, thanks for responding. That's good.

But your answer? That's bad.

It's the old "the problem is on your end, not ours." I think you'll find that your customers disagree.

Too bad, because their business cards rock. Nice feel, nice color, very water resistant.

Because our website uses a cookie driven format, links shared with session id's will cause this to happen. If you share a link with someone please give them only www.overnightprints.com this will not happen. There is no chance of creditcard or paypal information being transferred as we do not save that information. Verisign handles the transaction. Many websites do use the cookie format, including many of our peers in the online printing industry. To my knowledge this does not occur at this time in any instance outside of the sharing of session ID's. For problems that occur with any of our printing please contact our customer service phone line. We have recently streamlined and added more representatives. We also have a no risk guarantee. If there is a problem we will gladly refund or reprint.

In order for this not to occur, all of you should clear your cookies and log onto www.overnightprints.com (http://www.overnightprints.com) on your own without using a common link. This should clear it up.
That is a temporary bandaid only. The problem being described is not so much that customers are getting confusing screen, it's that it is possibe for a malicious user to hack the session variable and able to obtain info they don't have permission to access.

What you need to do is fix that vulnerability in the code. Trap it in code. I am not familiar enough with the coding needed to offer any detailed guidance, however, I did run across some sample code that may help you or your devs to a solution.

Download the latests phpbb (http://www.phpbb.com/downloads.php) forum software. Look in the common.php file at the first 100 lines to see how they are trapping for malicious session hacking. It might provide some clues to a solution for you.

You need to be in a position where clearing the cache is not neccessary at all. You can't rely on the users to do the right thing, because the wrong thing will get done either through ignorance or maliciousness. Count on it.

Even if you don't store credit card info, the perception that your site is not secure is what will drive people. Don't give people a reason to think there is insecurity in your site.

Because our website uses a cookie driven format, links shared with session id's will cause this to happen. If you share a link with someone please give them only www.overnightprints.com this will not happen.

This is insane. Shame on you for not building a system smart enough to protect the public from unwittingly sharing their personal information.

Shame shame shame.

I can no longer recommend or endorse your company, sorry about that. I'm really sorry - and it's a shame, because I've used you for cards many times and recommended a zillioon.


(Dragon, I need a new seal, "NOT endorsed by Andy" or some such)... :rolleyes

You guys are missing another valid point... why did it take 8 months for them to finally address the problem???

I must point out that the answer given here about cookies is FACTUALLY INCORRECT, bordering on lying.

Using a session ID in the URL has absolutely nothing to do with cookies in any scenario whatsoever. Cookies are stored on the local client computer and cannot be shared with other client computers without the server deliberately doing so.

What is happening here is that their system is allowing any computer to specify a session ID without any validation and is then setting that session's information on the client, irrespective of history. If they then encode the data into a cookie, that is both irrelevant as well as misleading.

The gentleman from the company who is claiming that it is a cookie issue either has no idea what he's talking about or is deliberately lying.

A simple check of session ID vs. IP address of the request would fix this problem. If their programmers can't add this simple check, much less realize that it should have been there from day one if they're using non-encoded session IDs on the URL, that should tell you all you need to know.

I'm not just a crappy photographer, I also do this stuff for a living :D

I'm not just a crappy photographer, I also do this stuff for a living :D

:wave Chris

:lol3

This is insane. Shame on you for not building a system smart enough to protect the public from unwittingly sharing their personal information.

Shame shame shame.

I can no longer recommend or endorse your company, sorry about that. I'm really sorry - and it's a shame, because I've used you for cards many times and recommended a zillioon.


(Dragon, I need a new seal, "NOT endorsed by Andy" or some such)... :rolleyes

post a thumbs down photo or some such and I'll get you a web2.0 badge whipped up in a hurry...

I can understand where Cambler is coming from, however in this instance I was merely trying to resolve a problem that was occuring with the board members of dgrin. Cookies are an oversimplified version of it. Our system does not allow any computer to access any session ID without validation. We have a 20 character alphanumeric code to protect the information which would be extremely difficult to hack. We have software to protect from a brute force hack and prevent the customers information from leaking. We are currently in the process of removing the session ID from the URL altogether which would end this issue to begin with. This was an instance of someone creating an account and sharing the open account with others.
In response to Andy, the system is designed to protect your information and that information will not be shared unless you specifically give your active session ID to another person, as happened in this bboard. Even if someone was to hack it, the chances of numerous people on this website seeing the exact same sample information would be astronomic. So we do protect the information from the public. And rest assured all credit card information is handled by Verisign and never even reaches our server. A credit card gateway is used.
Also I would like to add that my suggestion to clear your cookies was in no way intended to be a regular practice, simply a suggestion of a way to clear this open session that all of you seem to be sharing. After doing this one time, everyone will be on their own.

Also I would like to add that my suggestion to clear your cookies was in no way intended to be a regular practice, simply a suggestion of a way to clear this open session that all of you seem to be sharing. After doing this one time, everyone will be on their own.
Clearing cookies on a client computer will have no effect on your server. The session ID is still valid and will still replicate information if it is re-used. Why you continue to say that this is a "cookie" issue, I don't understand, and only serves to give people a false sense of security that doing so will resolve the problem.

Is this where I mention my consulting rates? :): (just kidding)

Is this where I mention my consulting rates? :): (just kidding)

:lol3

Clearing cookies on a client computer will have no effect on your server. The session ID is still valid and will still replicate information if it is re-used. Why you continue to say that this is a "cookie" issue, I don't understand, and only serves to give people a false sense of security that doing so will resolve the problem.

Is this where I mention my consulting rates? :): (just kidding)
The bigger issue is that malicious users can exploit this weakness, not that joe sixpack will see someone elses info. My bet is that a malicious user could probably inject commands that could bring down the server, change data, or worse.

The responses so far have been downplaying the problem which tells me they don't understand the implications of what could happen when 13 year old uber-hacker-looking-for-cred finds this open door oasis of potential mayhem.

Fix the problem. If the problem is already fixed (as possibly alluded to earlier) then show it, explain it, convince us. But don't offer the same non-technical excuses over and over, that just digs the hole deeper. There are a lot of web developers reading and responding on this thread.

In response to Andy, the system is designed to protect your information and that information will not be shared unless you specifically give your active session ID to another person, as happened in this bboard. Even if someone was to hack it, the chances of numerous people on this website seeing the exact same sample information would be astronomic. So we do protect the information from the public.

You don't protect the unwitting public, and there are a lot of them. It's bad practice, IMO. I'm sticking with thumbs down, I don't think you guys are getting it :nono

1. I didn't share a link or session. I arrived by google to your site. I never posted a link to your site. Mine is not the issue. Unless the same computer is being used, no "session sharing" should ever occur.

2. I emailed you twice and never received a response. Bad customer service. Extremely bad. I had a serious concern and it went ignored until now, which seems to be more damage control than actual customer service.

3. The proper, immediate response should have been to state an apology, guarantee that it would be corrected immediatley, and actually fix it.

4. I'm still really irritated by this giving of an active session ID crap. Explain how exactly I'm going to do that other than giving someone a direct link to a page that I access while logged in. Guess what? I didn't and I can guarantee that probably 99% didn't either. Even so, it's your site's issue in that it should only matter if it's coming from the same PC.

If this was a common issue, all one has to do is have one's friend pay for a subscription website, log in, and then send a link of whatever page he's accessing while logged in to all his friends and they have free "shared access" This doesn't happen because the site is properly set up and maintained.

Also, cookies can be set to expire. Yahoo sets this to prevent people from accessing email on your PC. So much time passes or so much inactive time passes and the cookie expires and forces a new log on.

Your site is broken and you're using an excuse that isn't completely valid for all concerned. You're also arguing with past, present but I expect to be past cutomers and ensuring no future cutomers.

Hi Danny,

Thanks for reading up on these complaints. I can assure you that when I saw another person's information that it was not from a shared link.

I think that if you took the time to make adjustments on your end you would see an increase in business. This issue has been one of the only knocks against your business and it has been what prevents me from ordering with your company...

Thanks,

Lee

but for the group of people who are seeing the same screen, that is due to sharing of links. If each of you had gone to the site on your own you would not be able to see others information.
Overnight Danny

Ladies and Gentlemen,

First I would like to say that we appreciate all of you bringing these issues to our attention. It is because we know that we are not perfect, and because we care, that we search for postings like these. We want to know what people think, so that we can provide the best service possible, whether it is in regards to our website, our products, our customer service, or anything else. As for Customer Service, we have more than tripled our staff and are responding to all calls and emails.

At is clear by now, I am not enlightened to all of the technical aspects of all of this. It is my job to find issues like these, and bring them to the attention of our developers and IT staff.

What was originally designed as a convenience feature, but could have been better thought out, became an issue that was brought to our attention by people like and including all of you. Session IDs retaining shipping information, so that returning customers did not have to enter it again, were indexed by google and yahoo, and so you are correct that you were able to access them in that way. Once we realized this, we changed the system so that the Session IDs no longer retain any information. We have also worked with google and yahoo to ensure that Session IDs are not indexed, and any that are currently indexed be removed.

We apologize to anyone who's shipping information may have been shared, and I guarantee that we are constantly working to completelty fix this, as well improve every aspect of our company.

Danny

Now that is the kind of thing that we like to hear. :thumb

Better late than never, thanks Danny!

We apologize to anyone who's shipping information may have been shared, and I guarantee that we are constantly working to completelty fix this, as well improve every aspect of our company.

Danny

:thumb Onya!

Danny,

Thanks for taking this seriously and having the courage to come back and admit that there was a mistake. That has just earned my business... :thumb

BTW, you should stick around here... :D

Thanks again...

Lee


We apologize to anyone who's shipping information may have been shared, and I guarantee that we are constantly working to completelty fix this, as well improve every aspect of our company.
Danny

Ladies and Gentlemen,

First I would like to say that we appreciate all of you bringing these issues to our attention. It is because we know that we are not perfect, and because we care, that we search for postings like these. We want to know what people think, so that we can provide the best service possible, whether it is in regards to our website, our products, our customer service, or anything else. As for Customer Service, we have more than tripled our staff and are responding to all calls and emails.

At is clear by now, I am not enlightened to all of the technical aspects of all of this. It is my job to find issues like these, and bring them to the attention of our developers and IT staff.

What was originally designed as a convenience feature, but could have been better thought out, became an issue that was brought to our attention by people like and including all of you. Session IDs retaining shipping information, so that returning customers did not have to enter it again, were indexed by google and yahoo, and so you are correct that you were able to access them in that way. Once we realized this, we changed the system so that the Session IDs no longer retain any information. We have also worked with google and yahoo to ensure that Session IDs are not indexed, and any that are currently indexed be removed.

We apologize to anyone who's shipping information may have been shared, and I guarantee that we are constantly working to completelty fix this, as well improve every aspect of our company.

Danny

Now, this is a much better answer :D

SessionIDs can perfectly retain any information you like, as long as the SessionID is not an encoding of the actual data (if so, decoding would be too simple and therefore unsecure) and it should not be shared 'inside' a URL. Instead, it should be a key, a unique identifier into a database row stored, preferrably, inside a cookie.

This key/SessionID should generated upon the user's login and serve as a authorization check.

This key/SessionID is then used to authorize subsequent page-requests and the user-id is used to lookup the user's info and present his/her data (only if authorization was successful).

Additional security checks could be done as well (IP verification across one session, session time-outs, etc.)