Bambora Payform - Session expired after some payments instead of checkout_success

Hi!

I use Zen Cart for almost 10 years, never posted questions, because always found a solution reading this forum.
But now I am stuck :down:

I have upgraded to 157 about a week ago from 155f via zc_install. Also changed 7.1 PHP to 7.4.9 PHP on server.
Using plugins Ultimate Seo Url, multilangual EZ-pages, payment module by Finnish payment service Bambora (can be found here: https://github.com/bambora/payform-zencart).
My site is here https://www.tulihelmi.fi/

But my problem was presented also before an upgrade with 155f and PHP 7.1.

Problem:

Sometimes my customers have problem with payment using Bambora. There were single cases last autumn and January. Then in March and April more cases. Then in June and July few. Now in August it got worst and last days (also before an update) like every second order :(

Path goes like this:
- they push Confirm Order Button
- go to Bambora's page and pay
- redirecting back to shop

Normally must go to checkout_success page and in some cases it happens.
But in some cases they go to session expired page, so they got logged out.
In both cases I get paid and order registers into webshop, but customers are confused.

Also this happens to the same customer, who sometimes previously made an order without any problem. And next order same customer places withot problem. Seems to be random.
I also checked it and some times I can get back to checkout_success, sometimes get logged out.

Tried:

I read forum. Seem to be the problem is that session cookies are lost is some cases.
Tried to change settings in admin/configurarions/sessions as advised. No difference.

Now using these settings again, as I always had:

Session directory /home/beadzsto/public_html/tulihelmi.fi/cache
Cookie Domain True
Force Cookie Use False
Check SSL Session ID False
Check User Agent False
Check IP Address True
Prevent Spider Sessions True
Recreate Session True
IP to Host Conversion Status true
Use root path for cookie path False
Add period prefix to cookie domain True

Both configure.php files have correct setting to my mind. Tried to change SQL_CACHE_METHOD to database, no difference.

PHP Code:

---

<?php
/**
 * dist-configure.php - SAMPLE FILE!
 *
 * @package Configuration Settings
 * @copyright Copyright 2003-2016 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: Author: DrByte  Thu Dec 17 11:49:31 2015 -0500 Modified in v1.5.5 $
 * @private
 */

/*************** NOTE: This file is VERY similar to, but DIFFERENT from the "admin" version of configure.php. ***********/
/***************       The 2 files should be kept separate and not used to overwrite each other.              ***********/

/**
 * Enter the domain for your store
 * HTTP_SERVER is your Main webserver: eg-http://www.yourdomain.com
 * HTTPS_SERVER is your Secure/SSL webserver: eg-https://www.yourdomain.com
 */
define('HTTP_SERVER', 'https://www.tulihelmi.fi');
define('HTTPS_SERVER', 'https://www.tulihelmi.fi');

/**
 *  If you want to tell Zen Cart to use your HTTPS URL on sensitive pages like login and checkout, set this to 'true'. Otherwise 'false'. (Keep the quotes)
 */
define('ENABLE_SSL', 'true');

/**
 * These DIR_WS_xxxx values refer to the name of any subdirectory in which your store is located.
 * These values get added to the HTTP_CATALOG_SERVER and HTTPS_CATALOG_SERVER values to form the complete URLs to your storefront.
 * They should always start and end with a slash ... ie: '/' or '/foldername/'
 */
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');

/**
 * This is the complete physical path to your store's files.  eg: /var/www/vhost/accountname/public_html/store/
 * Should have a closing / on it.
 */
define('DIR_FS_CATALOG', '/home/beadzsto/public_html/tulihelmi.fi/');

/**
 * The following settings define your database connection.
 * These must be the SAME as you're using in your admin copy of configure.php
 */
define('DB_TYPE', 'mysql'); // always 'mysql'
define('DB_PREFIX', ''); // prefix for database table names -- preferred to be left empty
define('DB_CHARSET', 'utf8'); // 'utf8' or 'latin1' are most common
define('DB_SERVER', 'localhost');  // address of your db server
define('DB_SERVER_USERNAME', 'secret');
define('DB_SERVER_PASSWORD', 'secret');
define('DB_DATABASE', 'secret');

/**
 * This is an advanced setting to determine whether you want to cache SQL queries.
 * Options are 'none' (which is the default) and 'file' and 'database'.
 */
define('SQL_CACHE_METHOD', 'database');

/**
 * Reserved for future use
 */
define('SESSION_STORAGE', 'temporary value added by zc_install');

/**
 * Advanced use only:
 * The following are OPTIONAL, and should NOT be set unless you intend to change their normal use. Most sites will leave these untouched.
 * To use them, uncomment AND add a proper defined value to them.
 */
// define('DIR_FS_SQL_CACHE' ...
// define('DIR_FS_DOWNLOAD' ...
// define('DIR_FS_LOGS' ...

// End Of File

---

I also was trying to surf through the store for some times checking if I get logged out, did not happen. But may be need to be in the shop longer, not sure.

Did not try any other payment module yet since the problem started, cos we have not very big choice of payment plugins made for Zen Cart in Finland.

So can it be a Bambora's problem or something wrong with my site? Or the server? A contacted my provider, they say they have nothing wrong.
Seems to be random sometimes working perfectly, sometimes not on a same user, browser and device.

Please, advice what else can I do :down:
I love Zen Cart cos it is customisable... But this issue with payment ruining it all.

There's one Sessions setting that's different from the default: Check IP Address True (the default's False).

Any idea why that change was made?

No idea. I do not remember changing it ever. But I tried to put it to False, as it is default. No difference.

Does the issue occur on all browsers? I've been seeing a lot of timeouts due to the "Samesite" cookie settings on Chrome, but you've got your site setup as 'None, secure' which should be (?) fine.

Need to test more on other browsers. Just tried on Safari for more than 10 times, all working.
SameSite cookies is something new for me. Is it like setting in chrome (just quickly googled it)?
So if this is the issue, I should update the settings somewhere on my site to SameSite=None; Secure?

And if it is the issue, can it be random like I have it?

Quote:

---

Originally Posted by kalm

Need to test more on other browsers. Just tried on Safari for more than 10 times, all working.
SameSite cookies is something new for me. Is it like setting in chrome (just quickly googled it)?
So if this is the issue, I should update the settings somewhere on my site to SameSite=None; Secure?

And if it is the issue, can it be random like I have it?

---

What does your copy of /includes/init_includes/init_sessions.php (around line 43) read? Is it similar to

Code:

---

if (filter_var($cookieDomain, FILTER_VALIDATE_IP)) $domainPrefix = '';
$secureFlag = ((ENABLE_SSL == 'true' && substr(HTTP_SERVER, 0, 6) == 'https:' && substr(HTTPS_SERVER, 0, 6) == 'https:') || (ENABLE_SSL == 'false' && substr(HTTP_SERVER, 0, 6) == 'https:')) ? TRUE : FALSE;

session_set_cookie_params(0, $path, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, TRUE);

/**
 * set the session ID if it exists
 */
if (isset($_POST[zen_session_name()])) {
  zen_session_id($_POST[zen_session_name()]);
} elseif ( ($request_type == 'SSL') && isset($_GET[zen_session_name()]) ) {
  zen_session_id($_GET[zen_session_name()]);
}

---

... or to

Code:

---

if (filter_var($cookieDomain, FILTER_VALIDATE_IP)) $domainPrefix = '';
$secureFlag = ((ENABLE_SSL == 'true' && substr(HTTP_SERVER, 0, 6) == 'https:' && substr(HTTPS_SERVER, 0, 6) == 'https:') || (ENABLE_SSL == 'false' && substr(HTTP_SERVER, 0, 6) == 'https:')) ? TRUE : FALSE;

$samesite = (defined('COOKIE_SAMESITE')) ? COOKIE_SAMESITE : 'lax';
if (!in_array($samesite, ['lax', 'strict', 'none'])) $samesite = 'lax';

session_set_cookie_params([
    'lifetime' => 0,
    'path' => $path,
    'domain' => (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''),
    'secure' => $secureFlag,
    'httponly' => true,
    'samesite' => $samesite,
]);

/**
 * set the session ID if it exists
 */
if (isset($_POST[zen_session_name()])) {
  zen_session_id($_POST[zen_session_name()]);
} elseif ( ($request_type == 'SSL') && isset($_GET[zen_session_name()]) ) {
  zen_session_id($_GET[zen_session_name()]);
}

---

That second version is destined for zc157a. From a browser-testing standpoint, I've found Chrome to be the most 'finicky' when it comes to those cookies.

Hi! Thank you for response!

I have first variant:

PHP Code:

---

session_set_cookie_params(0, $path, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, TRUE); 


---

Now tried the second code, but it got worst. It started to log me out of my account every time after payment.
Before I could't catch this in Safari, but with second code same problem started on Safari too - logged out after every payment.
Changed back to first variant - works on Safari again. At least did not log me out after several attempts.

Quote:

---

Originally Posted by kalm

Now tried the second code, but it got worst. It started to log me out of my account every time after payment.
Before I could't catch this in Safari, but with second code same problem started on Safari too - logged out after every payment.
Changed back to first variant - works on Safari again. At least did not log me out after several attempts.

---

Sounds like the same problem I'm having with my epath gateway when it tries to return to the checkout_success page. See https://www.zen-cart.com/showthread....ighlight=epath

Lat9 referred to a sticky zenid issue which I would like to try and solve if I knew how.

Sounds like the same problem I'm having with my epath gateway when it tries to return to the checkout_success page. See https://www.zen-cart.com/showthread....ighlight=epath

Lat9 referred to a sticky zenid issue which I would like to try and solve if I knew how.

Quote:

---

Originally Posted by kalm

Now tried the second code, but it got worst. It started to log me out of my account every time after payment.
Before I could't catch this in Safari, but with second code same problem started on Safari too - logged out after every payment.
Changed back to first variant - works on Safari again. At least did not log me out after several attempts.

---

Try using the second variant, but also create a file named /includes/extra_datafiles/set_samesite_cookie.php containing:

PHP Code:

---

<?php
define('COOKIE_SAMESITE', 'none');

---

That will enable you to use the updated version (which will be applied on a zc157a upgrade) and keep the Samesite=None setting.

Thank you, Cindy!
Seems to be it started to work :clap:
At least my 10 attempts did not catch the problem. Also on Developer Tool Console I do not see blocked cookies any more when I come back to store after payment.
Need to test for few days for I can say for sure a problem is solved.
I will come with the update.

Thanks Cindy, second variant of that code with the extra file worked for me too.

Hi!

I was testing the change for a few days. Not many real orders were paid via Bambora I have problem with. First 9 orders were placed with no problem, but today I got one order with time_out page.
This is customer's session before payment:

Attachment 19171

I am not sure what browser he was using.

I was trying to recreate the problem myself in Chrome. Before the update Cindy offered, I could easily get time_out page just pushing Confirm Order Button, going to Bambora's payment page and cancel payment. But now I couldn't, even trying over 30 times. Same with Safari.

But here he is, the customer with real order, who gets the time_out page again :(

Quote:

---

Originally Posted by kalm

Hi!

I was testing the change for a few days. Not many real orders were paid via Bambora I have problem with. First 9 orders were placed with no problem, but today I got one order with time_out page.
This is customer's session before payment:

Attachment 19171

I am not sure what browser he was using.

I was trying to recreate the problem myself in Chrome. Before the update Cindy offered, I could easily get time_out page just pushing Confirm Order Button, going to Bambora's payment page and cancel payment. But now I couldn't, even trying over 30 times. Same with Safari.

But here he is, the customer with real order, who gets the time_out page again :(

---

When looking over the sequence of events/visits by that visitor, what time differences are involved? Even if the above corrections fixed the base problem, if the session expires along the checkout process then a time_out will be presented. Yes, it has an unfortunate effect on the sale and record keeping if the initial transaction can not be tied back to what is likely a completed financial transaction.

I was watching this particular customer placing an order on Who's online page. Is was not many seconds from the moment he pushed Confirm Order button and after the payment appeared back to store with time_out and new session id number. So it this case problem is not that the session just expired.

Just wondering, if now the problem is not Samesite cookies anymore (it can't be as the code 100% fixed it, right?), what else it can be?

As plugin itself, I contacted Bambora and informed them about my problem. If it is a plugin issue...

Unfortunately, I am still getting time_outs from time to time. Problem is not 100% fixed.

Quote:

---

Originally Posted by kalm

Unfortunately, I am still getting time_outs from time to time. Problem is not 100% fixed.

---

Did you every resolve this?

It seems that changes made to Chromium browsers have increased the number of session timeout when completing a payment and being redirected back to the store to generate an order if.

HTML Code:

---

Zen Cart 1.5.7
Database Patch Level: 1.5.7
v1.5.7  [2020-12-18 18:45:24]  (Version Update 1.5.6->1.5.7)
v1.5.6c  [2020-12-18 18:45:04]  (Version Update 1.5.5->1.5.6c)
v1.5.5a  [2016-08-17 00:53:15]  (Version Update 1.5.4->1.5.5a)
v1.5.4  [2016-08-17 00:53:09]  (Version Update 1.5.3->1.5.4)
v1.5.3  [2016-08-17 00:53:01]  (Version Update 1.5.2->1.5.3)
v1.5.2  [2016-08-17 00:52:49]  (Version Update 1.5.1->1.5.2)
v1.5.2  [2016-08-17 00:50:14]  (Version Update 1.5.1->1.5.2)
v1.5.2  [2016-08-17 00:49:04]  (Version Update 1.5.1->1.5.2)
v1.5.1  [2013-11-04 07:00:39]  (New Installation)
v1.5.1  [2013-11-04 07:00:39]  (New Installation)

---

I am using Moneris hosted Pay Page which does redirect the user back to thee store when a payment is cleared. Unfortunately, I have not been able to pin it down to anything yet and I read here and there that others are experiencing it but not can't tell the scale of the problem.

The site does use and Force SSL on all pages.

my init_session file has

Code:

---

$samesite = (defined('COOKIE_SAMESITE')) ? COOKIE_SAMESITE : 'lax';
if (!in_array($samesite, ['lax', 'strict', 'none'])) $samesite = 'lax';


if (PHP_VERSION_ID >= 70300) {
  session_set_cookie_params([
    'lifetime' => 0,
    'path' => $path,
    'domain' => (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''),
    'secure' => $secureFlag,
    'httponly' => true,
    'samesite' => $samesite,
  ]);
} else {
  session_set_cookie_params(0, $path .'; samesite='.$samesite, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, true);
}

---

and my HTTPD config has the following

Code:

---

Header set Set-Cookie HttpOnly;Secure;SameSite=None
#Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Header always set X-Frame-Options DENY
TraceEnable Off

---

Based on my testing (I don't have a mac to test with), Microsoft Edge the original is the only one that worked for me.

I checked version 1.5.7C for any possible changes and there is nothing there that would address this issue of session timeout upon being redirected from payment gateway.

So I decide I am getting lots of heat getting customer charged and not having an order ID. knowing I am running PHP 7.2, I changed init_session.php to this

Code:

---

if (PHP_VERSION_ID <= 70300) {

---

and that seems to work. Since I just made the change today, I can't tell in real life application whether it is successful or not.

I welcome feedback on the matter.

You can probably resolve it with this instead:

Create a file named /includes/extra_configures/samesite_cookie.php containing the following:

Code:

---

<?php
// -----
// Samesite cookie needs to be 'none' when doing offsite payment gateway redirects
//
define('COOKIE_SAMESITE', 'none');

---

Thank you that did resolve the issue. I guess creating the file /includes/extra_configures/samesite_cookie.php will make it apply to the entire site vs having the code in init_session.php (I guess this applies to session creation only)

Code:

---

$samesite = (defined('COOKIE_SAMESITE')) ? COOKIE_SAMESITE : 'lax';
if (!in_array($samesite, ['lax', 'strict', 'none'])) $samesite = 'lax';

---

Thank you for this crutial info,
Additionally, at the current state of Chrome browser SameSite=none; also causes error.
You can not even log in to the site, it automatically logs you out.
In the page error report it says Secure connection is obligatory if SameSite=none choosen.
So the below definition by DrByte should be changed as follows:

PHP Code:

---

define('COOKIE_SAMESITE', 'none; secure'); 


---

Thanks also to Scott C Wilson for putting this on Zen-Cart documentation
https://docs.zen-cart.com/user/payme...oops_timeouts/

If somebody could also update that it could save somebody sometime...

Quote:

---

Originally Posted by DrByte

You can probably resolve it with this instead:

Create a file named /includes/extra_configures/samesite_cookie.php containing the following:

Code:

---

<?php
// -----
// Samesite cookie needs to be 'none' when doing offsite payment gateway redirects
//
define('COOKIE_SAMESITE', 'none');

---

---

Quote:

---

Originally Posted by zamzom

Thank you for this crutial info,
Additionally, at the current state of Chrome browser SameSite=none; also causes error.
You can not even log in to the site, it automatically logs you out.
In the page error report it says Secure connection is obligatory if SameSite=none choosen.
So the below definition by DrByte should be changed as follows:

PHP Code:

---

define('COOKIE_SAMESITE', 'none; secure'); 


---

---

Please forget the previous suggestion. init_sessions.php searches for exact phrase 'none', if you change it, it won't work.
Page encoding should be https though, otherwise samesite 'none' will create an error.