We're facing a perplexing issue in our production environment where customers appear to occasionally get mapped to other people's carts (e.g. retrieving someone else's cart viewmodel, adding/removing items to someone else's cart, or even checking out with someone else's cart). We're obviously very concerned, but we've been unsuccessful in replicating it in dev, and its low frequency (combined with its seemingly random occurrence) has made it a somewhat lower-priority issue, so I can't investigate it full-time. I've pored over the relevant code and can't see anything suspicious. All cart loading is facilitated by the following method:
public ICart LoadCart(string name = "Default")
{
var cart = _orderRepository.Service.LoadOrCreateCart<ICart>(System.Web.HttpContext.Current.User.GetContactId(), name, _currentMarketService.Service);
SanitiseCart(cart);
return cart;
}Some notes for clarity:
- We have only a single market, and only ever use the cart name "Default".
- SanitiseCart() is a private method that that performs some minor housekeeping on line items and shipments.
- _orderRepository is declared as
private Injected<IOrderRepository> _orderRepository; - Obviously, none of our cart operations are trying to mutate the CustomerId.
- We use GetContactId() at multiple other points in the project (e.g. loading customer accounts, order history summaries) and have not heard of any similar issues in those domains.
- This issue appears to be affecting both anonymous users and registered customers (i.e. CustomerContacts).
- We're uncertain how long it has been a problem, but a series of logged exceptions (wherein our system tries to remove an item that doesn't exist in the cart) suggest that it may have started after we performed a major Commerce version upgrade several months ago. Unfortunately, the developer who performed the upgrade no longer works at this company, and in any case, I can't find any evidence of significant changes within the cart domain.
- Normally this is a fairly rare occurrence, but we experienced a sudden large spike in incidents roughly a week ago. Episerver support were contacted and asked to reset the app service, at which point the frequency of incidents dropped to its prior level. We are still uncertain what incited this sudden spike.
The project in which the above code is located is currently on Commerce 13.2.0.