Whoops! Your session has expired. after paypal continue, since webserver upgraded

Well I posted my host, the server file name I stumbled across half awake is called Suhosin. I asked them about it, but waiting the reply.

Anyway I came across this thread while searching everywhere;

http://www.zen-cart.com/forum/showthread.php?t=45997

Quote:

---

Originally Posted by ferdball

Linda, I tried to do this with no luck... Here;s my situation.

I upgraded from a 1.2.7 cart and then moved hosts (actually the other way around technically I HAD to upgrade because I moved to a php5 and mysql5 host)

I plugged in their Shared SSL "https://rdx.websitewelcome.com/~learta"
then I get the "Whoops.... session expired error" on checkout
Turned off SSL on config.php and it works fine.
Asked my host about the php security and they said they dont have anything funky installed.
Installed a BEAND NEW FRESH cart and added a dummy product,, still happens.

I'm thinking it's a Shared SSL issue but dont know for sure.

PLEASE ANYONE have any ideas? help help! live site not working.

---

Reluctanltly, I tried turning off my (shared) SSL off in config.php file, but not in the Admin config, just to see what would happen.

PP Exp went ok as usual, but when it came back to my site it did not timeout! I went to step 3 to confirm on my site and got a warning "We were not able to process your order....

I hadn't noticed but when it came back to store instead of making a new user accout, it pulled up a fake one I made in 2006 that only the city and state matched my real "new" account. So it regected the sale for that mismatch. I mean I made this thing to be in Uruguay, at least I hope I did, its been awhile.

The fake test customer was deleted, I tried again, everything worked perfect. Except my SSL is now off. So what ever this all means, at least its a clue.

I wonder if shared SSL stopped working for PP express, or the host did something or ???

PayPal claimed what they see is a successful order when session times out, yet the order really isn't there, no emails, no PayPal records, I gave up on them helping me a while back.:lamo:

Sounds like your host's SSL configuration for your domain is broken since the upgrade.

Or maybe you're using 2 different domains for SSL vs non-SSL and thus your session cookies can't be re-established, and thus your session can't be read, and thus you can't be logged back in, and thus you're getting a timeout message.

Thank you for the info as it fits my view of it too,
But before I go back to the host again, isn't a shared SSL set up going to have 2 different domains anyway? That's the way it was before for years and ok with PayPal Express if I understand you right. By the way, I am not in root, as some call it, I mean I set this up as /public_html/catalog/.

I just want to clarify my understanding of your second paragraph first, in case you want me to look for code flaws that I am not sure about yet or should have changed. As I did nothing before server upgrade, and compared all files to old ones for changes during the later Hack on my recent recovery process.

I have no idea how to respond to your post.

Yes, shared SSL will have different domains. And that *always* runs the risk of problems and certainly creates potential for session cookie problems. It is always preferable to have a dedicated SSL, esp since they're dirt-cheap nowadays.

What are all your settings in Admin->Configuration->Sessions? and why? *** DO NOT GO CHANGING THEM WITHOUT REASON ***

I can't remember if you mentioned this already: who's your host?

Session Directory /home/awordfiller/public_html/catalog/cache
Cookie Domain True
Force Cookie Use False
Check SSL Session ID False
Check User Agent False
Check IP Address False
Prevent Spider Sessions True
Recreate Session False
IP to Host Conversion Status true

I have not changed anything in these admin settings for as long as I can remember (which isn't saying much, but a long while ago anyway).
Why?, I think because it was recommended by a developer some time ago in another thread. Or it was in the install directions, I did not guess at them.
My host is Total Choice Hosting.

This could be a lot easier if it was not "just" the host who very likely might of broke PayPal Express during this time. It worked flawlessly for years, until the "various" cluster of events mentioned in this thread during last June 09.

Normally "Recreate Session" should be set to True. Otherwise you open security risks of hijacking other customers' sessions if several people get to your site via a URL containing a zenid.
The only reason to set it to false is if the hosting company says to do it because their configuration is nonstandard and would prevent logins.