Running 1.5.0 locally with no add-ons. If a customer signs in, adds something to their cart, and starts the checkout process but then gets distracted so that the session timeout kicks in, the next time they press a "Continue" button they're taken to the page_not_found page.
I've traced this issue down to the following code section within /includes/init_includes/init_sanitize.php:
What is happening is that the securityToken is getting reset (due to the session timeout) so that the value in the $_SESSION is not equal to the value in the $_POST array. While the $mainPage value is valid, the $csrfBlackList array value is empty, resulting ultimately in a redirect to the page_not_found page.
$csrfBlackListLocal = array();
$csrfBlackList = (isset($csrfBlackListCustom)) ? array_merge($csrfBlackListLocal, $csrfBlackListCustom) : $csrfBlackListLocal;
if (! isset ( $_SESSION ['securityToken'] ))
$_SESSION ['securityToken'] = md5 ( uniqid ( rand (), true ) );
if ((isset ( $_GET ['action'] ) || isset($_POST['action']) ) && $_SERVER['REQUEST_METHOD'] == 'POST')
$mainPage = isset($_GET['main_page']) ? $_GET['main_page'] : FILENAME_DEFAULT;
if (!in_array($mainPage, $csrfBlackList))
if ((! isset ( $_SESSION ['securityToken'] ) || ! isset ( $_POST ['securityToken'] )) || ($_SESSION ['securityToken'] !== $_POST ['securityToken']))
zen_redirect ( zen_href_link ( FILENAME_PAGE_NOT_FOUND, '', $request_type ) );
I'm not sure what the $csrfBlackList code is supposed to be doing (it was added for v1.5.0), so I'm wont to simply remove it.
Any help would be appreciated.