jCart Security Info

jCart uses server-side input validation to ensure the cart works as expected for visitors and to limit potential security risks. Early versions contained vulnerabilities that under certain circumstances could allow session hijacking, modification of cart contents via CSRF, or redirection to an arbitrary URL. These issues have been resolved since version 1.2.

Enable CSRF Protection

In a default installation, jCart presents a limited opportunity for an attacker to modify a visitor’s cart prior to checkout. In this scenario the attacker must trick a visitor with an active session into clicking a link or viewing an image that in turn sends a specially crafted request to your jcart.php file. This is a relatively minor risk since the attacker must know when their target is actively browsing your site. Learn more about CSRF attacks on owasp.org.

To prevent auch attacks, versions 1.2 and later include the option to add a unique token to all POST requests, ensuring that jcart.php doesn’t process requests originating outside of your site. This feature is turned off by default. To enable it set the following variable to true in config.php:


// Add a unique token to form posts to prevent CSRF exploits
// Learn more: http://conceptlogic.com/jcart/security.php
$config['csrfToken']              = true;


The drawback of using this option is that the cart will no longer work for visitors with javascript disabled. To ensure the cart works securely without javascript, add the following line to each of your product forms:

<input type="hidden" name="jcartToken" value="<?php echo $_SESSION['jcartToken'];?>" />

Validating Data before Checkout

Before a visitor is redirected to checkout with PayPal, the contents of their cart are sent to jcart-gateway.php. You can customize this file to validate submitted prices against your actual product prices and prevent invalid transactions.