Sudden Epath Gateway Problem

[Design75]

Good catch, thanks for sharing. You can come collect your medal in my office

I need a medal for this :-)

In includes/modules/payments/epath.php

==Replace this========================
// class methods
function update_status() {
global $order, $db;

if ( ($this->enabled == true) && ((int)MODULE_PAYMENT_EPATH_ZONE > 0) ) {
$check_flag = false;
$check_query = $db->Execute("select zone_id from " . TABLE_ZONES_TO_GEO_ZONES . " where geo_zone_id = '" . MODULE_PAYMENT_EPATH_ZONE . "' and zone_country_id = '" . $order->billing['country']['id'] . "' order by zone_id");
while (!$check_query->EOF) {
if ($check_query['zone_id'] < 1) {
$check_flag = true;
break;
} elseif ($check_query['zone_id'] == $order->billing['zone_id']) {
$check_flag = true;
break;
}
$check_query->MoveNext();
}
==========================

==With this==================
// class methods
function update_status() {
global $order, $db;
if ($this->enabled && (int)$this->zone > 0) {
$check_flag = false;
$sql = "SELECT zone_id
FROM " . TABLE_ZONES_TO_GEO_ZONES . "
WHERE geo_zone_id = :zoneId
AND zone_country_id = :countryId
ORDER BY zone_id";
$sql = $db->bindVars($sql, ':zoneId', $this->zone, 'integer');
$sql = $db->bindVars($sql, ':countryId', $order->billing['country']['id'], 'integer');
$check = $db->Execute($sql);
while (!$check->EOF) {
if ($check->fields['zone_id'] < 1) {
$check_flag = true;
break;
} elseif ($check->fields['zone_id'] == $order->billing['zone_id']) {
$check_flag = true;
break;
}
$check->MoveNext(); }

[robertluer]

Site: https://canadaflagshop.com/shop
Zencart 1.5.6c
PHP: 7.3.16
SSL Certificate
Siteground Web Host
Using Sucuri Cloudproxy Firewall (with CDN)
Epath gateway last upgraded in Feb 2019

In the last few days we have had a significantly higher than normal number of customers experiencing zencart session timeout messages, AFTER submitting their payment details on our epath manual payment gateway page. The timeout is occurring after they press submit and should then be redirected back to our Zencart checkout_success page where they see an order number and the order details have been recorded and sent to us. Consequently when the timeout occurs, customer sees the zencart session expired page and we do not receive a completed order (even though epath still captures the payment details).

Having questioned enough customers now it seems issue is limited to those using Google Chrome (on pc and mobile) and they take more than 1 minute to complete the external epath payment page before pressing submit.

Have verified with our webhost that server performance is not an issue and they even tried adding a dynamic timeout script to our htaccess file to no effect.
No changes to our cpanel settings or zencart software recently. Any ideas?

[lat9]

Site: https://canadaflagshop.com/shop
Zencart 1.5.6c
PHP: 7.3.16
SSL Certificate
Siteground Web Host
Using Sucuri Cloudproxy Firewall (with CDN)
Epath gateway last upgraded in Feb 2019

In the last few days we have had a significantly higher than normal number of customers experiencing zencart session timeout messages, AFTER submitting their payment details on our epath manual payment gateway page. The timeout is occurring after they press submit and should then be redirected back to our Zencart checkout_success page where they see an order number and the order details have been recorded and sent to us. Consequently when the timeout occurs, customer sees the zencart session expired page and we do not receive a completed order (even though epath still captures the payment details).

Having questioned enough customers now it seems issue is limited to those using Google Chrome (on pc and mobile) and they take more than 1 minute to complete the external epath payment page before pressing submit.

Have verified with our webhost that server performance is not an issue and they even tried adding a dynamic timeout script to our htaccess file to no effect.
No changes to our cpanel settings or zencart software recently. Any ideas?

You'll likely need the samesite-cookie patch. See this (https://github.com/zencart/zencart/issues/3721) Zen Cart GitHub issue for details.

I've seen various session-related issues with Chrome over the past few months and my belief is that the samesite-cookie processing is the culprit.

[robertluer]

Thanks lat9 for your reply. Tried those recently changed init_sessions.php files (admin and catalogue) for 1.5.8 in my 1.5.6c installation and it caused all transactions on any browser to timeout. (I have been clearing all cookies/cache before testing). Is there a specific patch available for 1.5.6c

[lat9]

Thanks lat9 for your reply. Tried those recently changed init_sessions.php files (admin and catalogue) for 1.5.8 in my 1.5.6c installation and it caused all transactions on any browser to timeout. (I have been clearing all cookies/cache before testing). Is there a specific patch available for 1.5.6c

Just take that code-bit that @proseLA posted, copy it and paste in both the admin/storefront init_sessions.php file's one line that contains the session_set_cookie_params function call with that code block.

[robertluer]

Tried that code bit @proseLA posted and I'm still getting the zencart session expired page if taking more than 1 minute to complete the epath payment page on Google Chrome. I'm not code savvy so in case I've incorrectly copied and pasted that code, below is what I have in my init_sessions files. In case it's relevant I am noticing that the Zen ID has changed from what it was originally when returning from Epath and landing on the session timeout page. Dr Byte refers to setting default to LAX - does that require a change to the code below?

init_session.php Admin:

Code:

<?php
/**
 * @package admin
 * @copyright Copyright 2003-2016 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: Author: DrByte  Sun Jan 10 02:53:32 2016 -0500 Modified in v1.5.5 $
 */
if (!defined('IS_ADMIN_FLAG')) {
  die('Illegal Access');
}
// require the session handling functions
  require(DIR_FS_CATALOG . DIR_WS_FUNCTIONS . 'sessions.php');

  zen_session_name('zenAdminID');
  zen_session_save_path(SESSION_WRITE_DIRECTORY);

// set the session cookie parameters
$path = str_replace('\\', '/', dirname($_SERVER['SCRIPT_NAME']));
if (defined('SESSION_USE_ROOT_COOKIE_PATH') && SESSION_USE_ROOT_COOKIE_PATH  == 'True') $path = '/';
$path = (defined('CUSTOM_COOKIE_PATH')) ? CUSTOM_COOKIE_PATH : $path;
$domainPrefix = (!defined('SESSION_ADD_PERIOD_PREFIX') || SESSION_ADD_PERIOD_PREFIX == 'True') ? '.' : '';
if (filter_var($cookieDomain, FILTER_VALIDATE_IP)) $domainPrefix = '';
$secureFlag = (substr(HTTP_SERVER, 0, 6) == 'https:') ? TRUE : FALSE;
$samesite = CONFIG_SAMESITE;  // Lax or Strict or None

if(PHP_VERSION_ID < 70300) {
        session_set_cookie_params(0, $path .'; samesite='.$samesite, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, TRUE);
} else {
        session_set_cookie_params([
            'lifetime' => 0,
            'path' => $path,
            'domain' => (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''),
            'secure' => $secureFlag,
            'httponly' => TRUE,
            'samesite' => $samesite
        ]);
}
/**
 * Sanitize the IP address, and resolve any proxies.
 */
$ipAddressArray = explode(',', zen_get_ip_address());
$ipAddress = (sizeof($ipAddressArray) > 0) ? $ipAddressArray[0] : '.';
$_SERVER['REMOTE_ADDR'] = $ipAddress;

// lets start our session
  zen_session_start();
  $session_started = true;

if (! isset ( $_SESSION ['securityToken'] ))
{
  $_SESSION ['securityToken'] = md5 ( uniqid ( rand (), true ) );
}
if ((isset ( $_GET ['action'] ) || isset($_POST['action']) ) && $_SERVER['REQUEST_METHOD'] == 'POST')
{
  if ((! isset ( $_SESSION ['securityToken'] ) || ! isset ( $_POST ['securityToken'] )) || ($_SESSION ['securityToken'] !== $_POST ['securityToken']))
  {
    zen_redirect ( zen_href_link ( FILENAME_DEFAULT, '', 'SSL' ) );
  }
}

And for the catalogue:

Code:

<?php
/**
 * session handling
 * see {@link  http://www.zen-cart.com/wiki/index.p...als#InitSystem wikitutorials} for more details.
 *
 * @package initSystem
 * @copyright Copyright 2003-2019 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: mc12345678 2019 Apr 30 Modified in v1.5.6b $
 */
if (!defined('IS_ADMIN_FLAG')) {
  die('Illegal Access');
}
/**
 * sanity check in case zenid has been incorrectly supplied as an htmlencoded param name
 */
if (!isset($_GET['zenid']) && isset($_GET['amp;zenid'])) {
  $_GET['zenid'] = $_GET['amp;zenid'];
  unset($_GET['amp;zenid']);
} else if (isset($_GET['amp;zenid'])) {
  unset($_GET['amp;zenid']);
}

/**
 * require the session handling functions
 */
require(DIR_WS_FUNCTIONS . 'sessions.php');
/**
 * set the session name and save path
 */
zen_session_name('zenid');
zen_session_save_path(SESSION_WRITE_DIRECTORY);
/**
 * set the session cookie parameters
 */
$path = str_replace('\\', '/', dirname($_SERVER['SCRIPT_NAME']));
if (defined('SESSION_USE_ROOT_COOKIE_PATH') && SESSION_USE_ROOT_COOKIE_PATH  == 'True') $path = '/';
$path = (defined('CUSTOM_COOKIE_PATH')) ? CUSTOM_COOKIE_PATH : $path;
$domainPrefix = (!defined('SESSION_ADD_PERIOD_PREFIX') || SESSION_ADD_PERIOD_PREFIX == 'True') ? '.' : '';
if (filter_var($cookieDomain, FILTER_VALIDATE_IP)) $domainPrefix = '';
$secureFlag = ((ENABLE_SSL == 'true' && substr(HTTP_SERVER, 0, 6) == 'https:' && substr(HTTPS_SERVER, 0, 6) == 'https:') || (ENABLE_SSL == 'false' && substr(HTTP_SERVER, 0, 6) == 'https:')) ? TRUE : FALSE;
$samesite = CONFIG_SAMESITE;  // Lax or Strict or None

if(PHP_VERSION_ID < 70300) {
        session_set_cookie_params(0, $path .'; samesite='.$samesite, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, TRUE);
} else {
        session_set_cookie_params([
            'lifetime' => 0,
            'path' => $path,
            'domain' => (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''),
            'secure' => $secureFlag,
            'httponly' => TRUE,
            'samesite' => $samesite
        ]);
}
/**
 * set the session ID if it exists
 */
if (isset($_POST[zen_session_name()])) {
  zen_session_id($_POST[zen_session_name()]);
} elseif ( ($request_type == 'SSL') && isset($_GET[zen_session_name()]) ) {
  zen_session_id($_GET[zen_session_name()]);
}
/**
 * Sanitize the IP address, and resolve any proxies.
 */
$ipAddressArray = explode(',', zen_get_ip_address());
$ipAddress = (sizeof($ipAddressArray) > 0) ? $ipAddressArray[0] : '.';
$_SERVER['REMOTE_ADDR'] = $ipAddress;
/**
 * start the session
 */
$session_started = false;
if (SESSION_FORCE_COOKIE_USE == 'True') {
  setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $path, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag);

  if (isset($_COOKIE['cookie_test'])) {
    zen_session_start();
    $session_started = true;
  }
} elseif (SESSION_BLOCK_SPIDERS == 'True') {
  $user_agent = '';
  if (isset($_SERVER['HTTP_USER_AGENT'])) {
    $user_agent = strtolower($_SERVER['HTTP_USER_AGENT']);
  }
  $spider_flag = false;
  if (zen_not_null($user_agent)) {
    $spiders = file(DIR_WS_INCLUDES . 'spiders.txt');
    for ($i=0, $n=sizeof($spiders); $i<$n; $i++) {
      if (zen_not_null($spiders[$i]) && substr($spiders[$i], 0, 4) != '$Id:') {
        if (is_integer(strpos($user_agent, trim($spiders[$i])))) {
          $spider_flag = true;
          break;
        }
      }
    }
  }
  if ($spider_flag == false) {
    zen_session_start();
    $session_started = true;
  } else {
    if (isset($_GET['zenid']) && $_GET['zenid'] != '') {
      $tmp = (isset($_GET['main_page']) && $_GET['main_page'] != '') ? $_GET['main_page'] : FILENAME_DEFAULT;
      @header("HTTP/1.1 301 Moved Permanently");
      @zen_redirect(@zen_href_link($tmp, @zen_get_all_get_params(array('zenid')), $request_type, FALSE));
      unset($tmp);
      die();
    }
  }
} else {
  zen_session_start();
  $session_started = true;
}
unset($spiders);
/**
 * set host_address once per session to reduce load on server
 */
if (!isset($_SESSION['customers_host_address'])) {
  if (SESSION_IP_TO_HOST_ADDRESS == 'true') {
    $_SESSION['customers_host_address']= @gethostbyaddr($_SERVER['REMOTE_ADDR']);
  } else {
    $_SESSION['customers_host_address'] = OFFICE_IP_TO_HOST_ADDRESS;
  }
}
/**
 * verify the ssl_session_id if the feature is enabled
 */
if ( ($request_type == 'SSL') && (SESSION_CHECK_SSL_SESSION_ID == 'True') && (ENABLE_SSL == 'true') && ($session_started == true) ) {
  $ssl_session_id = $_SERVER['SSL_SESSION_ID'];
  if (empty($_SESSION['SSL_SESSION_ID'])) {
    $_SESSION['SSL_SESSION_ID'] = $ssl_session_id;
  }
  if ($_SESSION['SSL_SESSION_ID'] != $ssl_session_id) {
    zen_session_destroy();
    zen_redirect(zen_href_link(FILENAME_SSL_CHECK));
  }
}
/**
 * verify the browser user agent if the feature is enabled
 */
if (SESSION_CHECK_USER_AGENT == 'True') {
  $http_user_agent = $_SERVER['HTTP_USER_AGENT'];
  if (empty($_SESSION['SESSION_USER_AGENT'])) {
    $_SESSION['SESSION_USER_AGENT'] = $http_user_agent;
  }
  if ($_SESSION['SESSION_USER_AGENT'] != $http_user_agent) {
    zen_session_destroy();
    zen_redirect(zen_href_link(FILENAME_LOGIN, '', 'SSL'));
  }
}
/**
 * verify the IP address if the feature is enabled
 */
if (SESSION_CHECK_IP_ADDRESS == 'True') {
  $ip_address = zen_get_ip_address();
  if (empty($_SESSION['SESSION_IP_ADDRESS'])) {
    $_SESSION['SESSION_IP_ADDRESS'] = $ip_address;
  }
  if ($_SESSION['SESSION_IP_ADDRESS'] != $ip_address) {
    zen_session_destroy();
    zen_redirect(zen_href_link(FILENAME_LOGIN, '', 'SSL'));
  }
}

Zencart admin sessions screenshot and zencart session timeout pages attached.

[DrByte]

If you're wanting to use the samesite stuff, in the code you posted, change this:

$samesite = CONFIG_SAMESITE; // Lax or Strict or None

to this:

$samesite = 'lax';


You can't reference CONFIG_SAMESITE if it's not defined, otherwise you'll get errors like "PHP Warning: Use of undefined constant CONFIG_SAMESITE".
Bypassing that by passing a string will avoid that whole issue.

[robertluer]

Thanks for the input DrByte - tried exactly what you suggested (in admin and catalogue files) and it caused ALL sessions (in Chrome and Firefox) to revert to the zencart session timeout page when coming out of epath and returning to my site, even if only on the epath page for 10-20 seconds. (clearing website cache and browser cache before each test)

[lat9]

Does the site respond 'better' if you use

$samesite = 'none';

instead of

$samesite = 'lax';

[robertluer]

Tried $samesite = 'none'; and this caused ALL transactions in CHROME to session timeout instead of going to the checkout_success page. However transactions in Firefox and Edge still worked.