Great find! However depending on the PHP version and proper osC configuration, session hijacking will not work. Credit goes to osC team. Solution http://forums.oscommerce.com/index.php?showtopic=333351