-
[Done 160] V154 & V155 cookies off zenid changing w every page change. add item fails
In V154 and 155. I have been testing with cookies refused. I have discovered that the Session id zenid changes every time you click on a link. I have tested this in fire fox and crome and both have the same issue. This I think then causes a whoops time out message to be displayed when you try to add an item to the cart.
I store the session info in the database and the session record is being created and destroyed for each new click.
You can see this if you turn off cookies and then go to the site then hover over a link you will see that the session id has changed for the next click.
I had to click once to get a zenid but from then on all the links have a different zenid.
I assume for a session to work the new links should have the same zenid (session id).
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Not a bug.
If your store is set to require cookies but you turn cookies off in your browser, then it's not going to work.
Simple solution: don't do that.
Question: why are you doing that?
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Store is not set to require cookies. Force cookie use is false. Should it be true?
I was testing it because a number of customers complained that they could not add items to the basket. I was guessing that they had turned cookies off.
Quote:
Originally Posted by
DrByte
Not a bug.
If your store is set to require cookies but you turn cookies off in your browser, then it's not going to work.
Simple solution: don't do that.
Question: why are you doing that?
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
I can make it work by changing init_sessions.php about line 51.
from
PHP Code:
if (isset($_POST[zen_session_name()])) {
zen_session_id($_POST[zen_session_name()]);
} elseif ( ($request_type == 'SSL') && isset($_GET[zen_session_name()]) ) {
zen_session_id($_GET[zen_session_name()]);
}
to
PHP Code:
if (isset($_POST[zen_session_name()])) {
zen_session_id($_POST[zen_session_name()]);
} elseif ( ($request_type == 'SSL') && isset($_GET[zen_session_name()]) ) {
zen_session_id($_GET[zen_session_name()]);
/* else if added Mjfb*/
} elseif (isset($_GET[zen_session_name()])) {
zen_session_id($_GET[zen_session_name()]);
}
Does this break the certification for zen cart?
Also it does not appear to show the cookies required page any more. Just goes to whoops your session has timed out (time out page).
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
What template is/was used in your testing? Does this occur in the default template for these two stores (when you don't have the extra code added to the init_session.php file?)
Seeing as you are a long time forum member, what is the history of upgrade including process(es) used?
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
I performed a fresh install of 155 on my test machine with the test data and it has the same problem on that.
I was using the responsive classic template on that. I have tried classic green and get the same issue goes to index.php?main_page=time_out&zenid=co24rosqf910i1i5eg8u9r9i37 when trying to add to cart. the links all have &zenid=g3a5efvifobos3q6g2ojcokq75 so will have same issue.
For the live site I started life as 1.3.0 and has been upgraded through all the releases to 1.5.4 it now uses a modified responsive sheffield blue template.
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Hi Mark
Do you have settings in Apache to do any kind of redirects.
Also would you mind telling us who your host is.
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
the zen cart is in a sub directory of the main site.
The htaccess settings on the top level directory are
Code:
#reset default page
DirectoryIndex index.php
Options +FollowSymlinks
# allow URl rewriting
RewriteEngine on
#change htm to php
RewriteRule ^(.*)\.htm$ $1.php
# stop pages being taken
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?schoolofinnerlight\.co\.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?innerlightcrystals\.co\.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?innerlighttherapies\.co\.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?innerlightworkers\.co\.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?.*\.lotuslight\.co\.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?theangelicartoftransformation\.co\.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?angelicmultidimensionalhealing\.co\.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?lotuslight\.co\.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?alexa\.com/.*$ [NC]
Rewritecond %{HTTP_REFERER} !^http://(www\.)?images\.google.*$ [NC]
Rewritecond %{HTTP_REFERER} !^http://(www\.)?translate\..*$ [NC]
Rewritecond %{HTTP_REFERER} !^http://(www\.)?joyousisle\.com/.*$ [NC]
RewriteRule .*\.(jpg|gif|bmp|png)$ - [F,NC]
RewriteCond %{HTTP_HOST} !^innerlightcrystals\.co\.uk$ [NC]
RewriteRule .? http://innerlightcrystals.co.uk%{REQUEST_URI} [R=301,L]
My host is Ukhost4u. My site is http://innerlightcrystals.co.uk/sales/
My test server is Ubuntu run as a virtual machine (oracle vbox). I have removed all the rewrites and I still have the same issue on 155a running classic green or responsive classic. If you need more details of the virtual machine please let me know.
If any of the info in the code section should not be public please remove it for me.
Thanks
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Any movement on this? If not a fault do I need to have specific setting?
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
If you turn off ENABLE_SSL does the problem go away?
(The code-change you posted suggests that your server isn't properly representing SSL.)
Additionally, is your html_output.php function file altered in any way?
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Was set to '' set to 'false' still no change when cookies off. this is on a clean install of 1.55a with test data so no other changes.
Quote:
Originally Posted by
DrByte
If you turn off ENABLE_SSL does the problem go away?
(The code-change you posted suggests that your server isn't properly representing SSL.)
Additionally, is your html_output.php function file altered in any way?
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
And why exactly are you forcing cookies off?
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Because a customer complained that they could not put an item into the basket. This was the only scenario that I could reproduce the problem. I would not have an issue if it went to the this sites requires cookies but it does not I just says that the session has expired. Which as this is not true all that has happened is that the session id has a new id allocated to all the links when cookies are turned off. The change I put in kept the original ID. What I would like to happen is, if zen cart needs cookies which I think is what you are trying to say then the cookies are off page should be displayed.
I cannot get the cookies page to be displayed even in a fresh install of the system with no addins or alterations.
Quote:
Originally Posted by
DrByte
And why exactly are you forcing cookies off?
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Okay, let's turn on the setting to require cookies: Force Cookie Use = true.
I believe that'll show the "requires cookies" page if they're disabled.
-
1 Attachment(s)
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Sorry no change still goes to the time out page when force cookie use is true and cookies are turned off.
Attached picture of settings
Attachment 16479
The difference is that the zenid is not displayed.
A question. Is zen cart designed to work with cookies off?
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Quote:
Originally Posted by
brittainmark
A question. Is zen cart designed to work with cookies off?
Essentially yes. But I never use it that way so if there are issues with it I'm not seeing them.
In fact, there are many who strongly recommend Force Cookie Use = true for various reasons unrelated to your symptoms.
That said, I can't seem to duplicate the symptoms you're reporting ... which is frustrating for both of us.
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
I know Just what you mean.
Could it be a php version issue?
My live servers use: Apache Version 2.4.16, PHP Version 5.4.45, MySQL Version 5.6.30
On my test server I am using : Apache/2.4.7 ,PHP Version 5.5.9 , MySQL Version 5.5.49.
Don't know if you use virtual box. If it would help I could build you a virtual machine. (they tend to be big so would have to put it on an ftp site for you.).
I'll try a top level install on my test site with 1.5.5a and no extras to see if that solves it. If it does then it is definitely my servers.
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Just done another completely clean install. same issue. as soon as you turn off cookies the zenid changes for every link on the page. So the zenid in the URL does not match the Zenid on any of the links on the page and when you try to add an item to the cart you go to the timeout page. Just to complete the picture the version of zen cart I am using is zen-cart-v1.5.5a-05052016.
If I can give you any more info Just ask.
Mark
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Can you tell me where cookies usage or lack of is detected. I'll try to do some digging if I know where to look.
Additionally the admin section will not work at all with cookies turned off. Just keeps returning me to the login page.
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Quote:
Originally Posted by
brittainmark
Can you tell me where cookies usage or lack of is detected. I'll try to do some digging if I know where to look.
init_sessions.php
Quote:
Originally Posted by
brittainmark
Additionally the admin section will not work at all with cookies turned off. Just keeps returning me to the login page.
Argh; I'm not seeing that. Very curious why it seems to be unique to your setup...
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Looks like I am not unique. just seen this post on responsive sheffield blue.
https://www.zen-cart.com/showthread....06#post1315906
Solution enable cookies. But how do we tell our users to do that?
Quote:
Originally Posted by
DrByte
init_sessions.php
Argh; I'm not seeing that. Very curious why it seems to be unique to your setup...
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Quote:
Originally Posted by
brittainmark
Looks like I am not unique. just seen this post on responsive sheffield blue.
Solution enable cookies. But how do we tell our users to do that?
I can't speak to whatever that 3rd party plugin is doing to force the need for cookies, particularly in a mode that is specific to that template.
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Agreed. It is just that they are having the same issue I am going to timeout when cookies are turned off. Even when I use the vanilla install of zen cart.
Quote:
Originally Posted by
DrByte
I can't speak to whatever that 3rd party plugin is doing to force the need for cookies, particularly in a mode that is specific to that template.
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Hi Mark.
Have been doing some digging and testing regarding this after some discussions with DrByte.
Firstly regarding your suggestion
Code:
if (isset($_POST[zen_session_name()])) {
zen_session_id($_POST[zen_session_name()]);
} elseif ( ($request_type == 'SSL') && isset($_GET[zen_session_name()]) ) {
zen_session_id($_GET[zen_session_name()]);
/* else if added Mjfb*/
} elseif (isset($_GET[zen_session_name()])) {
zen_session_id($_GET[zen_session_name()]);
}
The problem here is that propagating the $_GET opens up code to some session hijacking/fixation hacks. We allow it for SSL as there is other code to mitigate the hacks (e.g. SSL only cookies and session_regenerate on login)
Note.There are some other things that could be done to allow for this code change, but still mitigate against hacking.
The upshot is, that you are correct, that if a user has cookies disabled then they will get changing session id's and a useless catalog.
The workaround suggested is to turn on force cookie usage. This doesn't fix the changing id's but should warn the user if they have cookies turned off.
This warning is supposed to happen when they try to add something to the cart (and a few other places) but as you have pointed out when adding to cart, the user is redirected to the timeout page instead.
This is a bug, and seems to have been caused by the introduction of csfr token checking (again this is security code meant to mitigate against other hacks)
It was our intention at some point to make Force Cookie Usage a default at some point, and maybe we should have done this earlier in the v15 code. It would have probably raised the timeout issue much earlier.
I'm going to raise this issue as part of our v1.6.0 code, however the intention would be to backport changes into v1.5.x.
I will update this thread once I have committed code to Github
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Ok. If I can do any testing to help just let me know.
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
Hi so have done an initial PR for v1.6
https://github.com/zcwilt/zc-v1-seri...a076103a726f40
This should fix the problem of seeing the session timeout page rather than the Cookie Usage page when adding to cart and first party cookies being disabled.
-
Re: V154 & V155 when cookies off zenid changing with every change of page. add item f
I have made the following mod to 155 and it now say about cookies about line 25 in includes>init_includes>init_sanitize.php (same in 154). and turned on force cookie usage in Admin>configuration>sessions.
BEFORE:
PHP Code:
$_SESSION ['securityToken'] = md5 ( uniqid ( rand (), true ) );
}
if ((isset ( $_GET ['action'] ) || isset($_POST['action']) ) && $_SERVER['REQUEST_METHOD'] == 'POST')
{
$mainPage = isset($_GET['main_page']) ? $_GET['main_page'] : FILENAME_DEFAULT;
AFTER:
PHP Code:
$_SESSION ['securityToken'] = md5 ( uniqid ( rand (), true ) );
}
if ((isset ( $_GET ['action'] ) || isset($_POST['action']) ) && $_SERVER['REQUEST_METHOD'] == 'POST')
{
if (!$session_started) {
zen_redirect(zen_href_link(FILENAME_COOKIE_USAGE));
}
$mainPage = isset($_GET['main_page']) ? $_GET['main_page'] : FILENAME_DEFAULT;
The cookies warning now appears when you add to cart and on attempting to logon have not pested beyond that.
Thanks for looking at this. Haveing does some research on session hijacking/fixation hacks I see the problem with my code. There appears to be a limit to what you can do to prevet this you just have to make it as hard as possible.
Thanks again
Mark
Quote:
Originally Posted by
wilt
