Callback Payment modules and session timeout

[davew]

I've been working on a problem for a couple of days now and seem to be going around in circles. I suspect the problem is something to do with the way the latest 1.3.9h zencart handles sessions as it seems that there are a few different gateways having similar problems.

In my case I am using the paypoint/secpay payment module.

It all works fine up until the callback is called with a successful payment transaction. The callback fails because the "session has timed out".

I've added some logging into the callback to check that the paypoint gateway is sending the zenid correctly, which it is, and I'm slowly working my way through the init_sessions code to try and identify why the session appears to be being reset.

As far as I understood it, providing the zenid, is being passed in the request then the checkout_process should reestablish the session. I get the impression that this is not happening, possibly as a result of the security enhancements that have been introduced ?

This isn't an SSL/NoSSL problem as others have encountered as all the calls are made without ssl.

I'm still working on the problem but would be grateful for any suggestions/insights into the way the session may be failing.

[davew]

I finally managed to fix the problem after tracing the session initialisation code through.

It turned out to be a problem with the Suhosin hardened version of php in use on my server. The default environment encrypts sessions as they are read and written to the database and for some reason this was preventing the session being reestablished correctly.

Turning the session encryption off by modifying the php.ini has resolved the problem. It can be turned off by adding:
suhosin.session.encrypt=Off

to the php.ini file.

So if you are having problems with a payment gateway giving the session timed out errors, check to see if your host is running Suhosin.