Whoops! Your session has expired. after paypal continue, since webserver upgraded

Hello,
I searched and searched the forum, but need to ask what I might try next.

I have a zen store 1.3.7 running successfully for several years almost without need for coding. I believe I did all the updates that would make it 1.3.7.1 as they were announced. But do to burn out with other life issues, I have been waiting for a version above 1.3.8a before upgrading.

Ok, this is what happened;
Last week my host (no its not Go Daddy) upgraded server to Apache 2.2.11 and PHP 5.2.9. (I have already contacted them and they are looking into below problem, they have always served me well)

A customer and my own tests show the store checkout or Paypal Express button goes to PayPal as it should. You enter password and PayPal's first page comes up, then if you push "continue" button, PayPal redirects back to store to the "Whoops your session has timed out" and a place to login. No record or completion of sale is doable.

This is a relearning process for me, so please forgive my absence. I tried Dr. Bytes curl test and the ipncheck139.zip and results all appears ok.

Is there an issue with Zen 1.3.7 and these recent server upgrades?
Or should I be looking elsewhere?
I did go to PayPal and they are missing around with things too, but it appears they should be done by now.
Any ideas or overlooked threads I could look at?
Thank you,

JW

Quote:

---

upgraded server to Apache 2.2.11 and PHP 5.2.9. (I have already contacted them and they are looking into below problem,

---

Have them check their php settings around time they might be using php's defaults

Thanks for the tip Kobra, I passed it on to my host. They thought the problem was resolved and asked me to test again. They didn't tell me what they did, but it failed to work. They are looking into it again.

I am now searching for my API Signature Password with no luck. I can't remember where it is, and my old notes are unforgiving. I was thinking of removing PayPal in admin and then reinstall with my same settings, but I need to get pass that dang password roadblock for that trial.

I will follow up if anything works.
Thanks,
JW

Just a note;
I found my password in PayPal - Profiles on left in API Access for those who may be of need.
Anyway the remove and reinstall of PayPal did not work.
Host has bumped me up to "Level 2 Support"

JW

I got a response from my host at TCH. Below is also their answer to my store situation. The link PHP info is beyond me.:unsure:
JW

Quote:

---

PHP configuration can be viewed at -- http://skywalker.tchmachines.com/phpInfo.php

I would appreciate if you can give the cart developers this link and let me know their update regarding the php configuration. No major changes were made to the php setup except the version upgrade along with apache upgrade.

---

That info is not where they need to be concentrating and it is not really the purpose of this venue to instruct them on how to configure their servers....
This is quoted from the doc's and pertinent to the .cnf files that they should know about

Quote:

---

# Manual edits of this file will be lost when Apache is updated.

---

So if they had any timings for php or mysql adjusted(optimized) for faster php/mysql operation they are gone
Contact me via my profile details

Well, I am just now able to follow up, a long holiday spending my new years eve day and days after removing hacks and rebuilding the site.

After a troubling year and then an obvious hacked site exactly 30 days after this Session Expire issue in June of 09 I just had to shut this store down, too many other stressed out priorities for other lives and for some who are not with us anymore.

I totally volunteered to learn these codes, and Zen's ways, find the community very supportive and make no money from it. But the one who I made the store for certainly could of used the funds they missed out on. Ha, ha, little hacky pranksters just not really hurting anybody, so it appears, in their little denial minds.

Now to the issue still apparently at hand;
It appears a similar thread on this subject is at- http://www.zen-cart.com/forum/showthread.php?t=136371.

My search so far has not found an answer. For me, "All browsers" PC or Mac had the time out issue, and I have yet to tried the suggestions in this thread.

After rebuilding from the hack, reinstalling PayPal, reinstalling USPS, and doing "all" the suggested patches, my store finally "appears" to work, but not the PayPal Express for the same reason as before -"Whoops! your session has expired.

I noticed a suspicious order when PayPal Express started this symptom, finally turned it off and used just PP IPN, then got the hack attack in July like many others. Also my custom Logo on PayPal was not linked anymore. I wonder if their was a connection to the hack or just another coincidence, such as my server also upgrading the PHP near that date in June. I just wonder and wonder.

Below is the follow up posts my server provided since our correspondence Kobra, I apologize for the delay. If they are of any help in pointing me a different direction. I tried every setting I could on PayPal Express, it now is turned off.

Quote:

---

Posted On: 07 Jun 2009 07:27 PM
I have been rechecking and reinstalling some of my code for zen store and keeping on top of this all weekend. But all tests are the same as prior ticket. Same time out issue warning when directed from PayPal to my store. Store has been running for over 2 years with no problems and had no problems with your prior upgrade(s) of the server. But this last upgrade situation has made store not able to make sales.

Below is Kobra's at Zen Forum answer to your provided link to server
settings.

> kobra
>
> Join Date: Aug 2005
> Posts: 15,366
> That info is not where they need to be concentrating and it is not really the purpose of this venue to instruct them on how to configure their servers....
> This is quoted from the doc's and pertinent to the .cnf files that they should know about

> Quote:
> # Manual edits of this file will be lost when Apache is updated.
> So if they had any timings for php or mysql adjusted(optimized) for faster php/mysql operation they are gone.


their reply;

Posted On: 07 Jun 2009 09:11 PM
Hello,

None of the Apache settings have changed on the recompile, as we keep a tab on such tweaks. But this does not include any custom changes that you may have done on the scripts or via overrides on .htaccess.
I am checking for possible leads but would really appreciate if the developer can pin point exactly what could potentially cause such an issue, as he will be able to debug the script faster.

Regards,
C--- N----
Level 2 System Administrator


My reply:

Posted On: 08 Jun 2009 02:22 PM

I am still gathering info, and making tests with logs.
Could you tell me, do you have other Zencarts on this server?
Are they ok?

Their reply:

Posted On: 08 Jun 2009 02:37 PM
Hi,

There are another 4 active installations of Zen Cart on your server itself and many of our users having Zen cart on many of our other servers. However, the issue that you have stated is not raised by any others. That is why still we are saying that it is not something related to the server software upgrade. As C--- suggested, kindly get back to us with the inputs from the developer side - so that we can fix it for you.

Thank you.
Regards,
A---- S----

---

Thanks,

Quote:

---

If they are of any help in pointing me a different direction.

---

Quote:

---

I have a zen store 1.3.7 running successfully for several years almost without need for coding.

Last week my host upgraded server to Apache 2.2.11 and PHP 5.2.9.

---

Think that this covers it if you are certian that you have not changed/added anything around this time

I am certain I did not change anything, but I did get what appeared to be a large bogus purchase about the same time as the host upgrade that did not complete, PayPal Express broke ever since. I turned PPEx. off soon after reinstalling and trouble shooting, then 30 days later I get "tagged" as Hacked in image files. I may have been hacked all along, but didn't know it tell they announced it to me. I reinstalled PayPal again right away, did some patches, but that didn't work, with other priorities needed, I shut down completely.

It could be the Host, maybe they changed something but claim they didn't. I am now finished doing the "Recovering from Hacks", I did "all" the security patches, I gave the transaction more time to lock in at Admin setting (yet it is only seconds to get the timeout). My store has been down since early July 09. The timing of the bogus purchase, not knowing we were hacked tell later, and the Host changes just complicates it all. At least the IPN Paypal works ok.

I will try the Host again, I read somewhere on this forum about a new PHP security thing some Hosts were adding that gave the 1.38 people similar problems, but haven't re-found the thread to get its name. I'll look some more and try that route.
Thanks for your reply,

Well I posted my host, the server file name I stumbled across half awake is called Suhosin. I asked them about it, but waiting the reply.

Anyway I came across this thread while searching everywhere;

http://www.zen-cart.com/forum/showthread.php?t=45997

Quote:

---

Originally Posted by ferdball

Linda, I tried to do this with no luck... Here;s my situation.

I upgraded from a 1.2.7 cart and then moved hosts (actually the other way around technically I HAD to upgrade because I moved to a php5 and mysql5 host)

I plugged in their Shared SSL "https://rdx.websitewelcome.com/~learta"
then I get the "Whoops.... session expired error" on checkout
Turned off SSL on config.php and it works fine.
Asked my host about the php security and they said they dont have anything funky installed.
Installed a BEAND NEW FRESH cart and added a dummy product,, still happens.

I'm thinking it's a Shared SSL issue but dont know for sure.

PLEASE ANYONE have any ideas? help help! live site not working.

---

Reluctanltly, I tried turning off my (shared) SSL off in config.php file, but not in the Admin config, just to see what would happen.

PP Exp went ok as usual, but when it came back to my site it did not timeout! I went to step 3 to confirm on my site and got a warning "We were not able to process your order....

I hadn't noticed but when it came back to store instead of making a new user accout, it pulled up a fake one I made in 2006 that only the city and state matched my real "new" account. So it regected the sale for that mismatch. I mean I made this thing to be in Uruguay, at least I hope I did, its been awhile.

The fake test customer was deleted, I tried again, everything worked perfect. Except my SSL is now off. So what ever this all means, at least its a clue.

I wonder if shared SSL stopped working for PP express, or the host did something or ???

PayPal claimed what they see is a successful order when session times out, yet the order really isn't there, no emails, no PayPal records, I gave up on them helping me a while back.:lamo:

Sounds like your host's SSL configuration for your domain is broken since the upgrade.

Or maybe you're using 2 different domains for SSL vs non-SSL and thus your session cookies can't be re-established, and thus your session can't be read, and thus you can't be logged back in, and thus you're getting a timeout message.

Thank you for the info as it fits my view of it too,
But before I go back to the host again, isn't a shared SSL set up going to have 2 different domains anyway? That's the way it was before for years and ok with PayPal Express if I understand you right. By the way, I am not in root, as some call it, I mean I set this up as /public_html/catalog/.

I just want to clarify my understanding of your second paragraph first, in case you want me to look for code flaws that I am not sure about yet or should have changed. As I did nothing before server upgrade, and compared all files to old ones for changes during the later Hack on my recent recovery process.

I have no idea how to respond to your post.

Yes, shared SSL will have different domains. And that *always* runs the risk of problems and certainly creates potential for session cookie problems. It is always preferable to have a dedicated SSL, esp since they're dirt-cheap nowadays.

What are all your settings in Admin->Configuration->Sessions? and why? *** DO NOT GO CHANGING THEM WITHOUT REASON ***

I can't remember if you mentioned this already: who's your host?

Session Directory /home/awordfiller/public_html/catalog/cache
Cookie Domain True
Force Cookie Use False
Check SSL Session ID False
Check User Agent False
Check IP Address False
Prevent Spider Sessions True
Recreate Session False
IP to Host Conversion Status true

I have not changed anything in these admin settings for as long as I can remember (which isn't saying much, but a long while ago anyway).
Why?, I think because it was recommended by a developer some time ago in another thread. Or it was in the install directions, I did not guess at them.
My host is Total Choice Hosting.

This could be a lot easier if it was not "just" the host who very likely might of broke PayPal Express during this time. It worked flawlessly for years, until the "various" cluster of events mentioned in this thread during last June 09.

Normally "Recreate Session" should be set to True. Otherwise you open security risks of hijacking other customers' sessions if several people get to your site via a URL containing a zenid.
The only reason to set it to false is if the hosting company says to do it because their configuration is nonstandard and would prevent logins.