Thanks again carlwhat! Your post clarified everything for me. I have Force Cookie Use (in admin/configuration/sessions) set to false which is the default. So zenid appears in the URL for all pages, except the main page, whether the browser blocks cookies or not. And you can check out, at least with PayPal Express, with cookies blocked or not. So it would seem to me that cookies are not required to be enabled in the browser if Force Cookie Use is set to false, at least for the setup of my store.
However, it would be nice to have the zenid not appear in the URL if cookies are not blocked in the browser with Force Cookies Use set to false, to provide an extra bit of security. In other words, use zenid in the URL only when necessary when Force Cookie Use is false.
I tried some experiments with Force Cookie Use set to true; zenid does not appear in the URL when cookies are enabled on the browser, you can add products to the cart, and checkout normally, even with PayPal Express. This is all good, and better than when Force Cookie Use is false, as long as cookies are enabled in the browser. But if cookies are not enabled in the browser, you get the cookie usage page ("cookies must be enabled") when attempting to login or create an account. If you continue without logging in, and try to add a product to the cart, you get a "Whoops, the session has expired" warning, and further attempts to login fail.
I observed no difference in behavior between ZC 1.5.1 and ZC 1.5.5f in my experiments.
All the best,
Dave


Reply With Quote
