1.3.9 whos online error?? maybe

[DrByte]

Hi,

I think the problem is because the code is checking if suhosin is installed but not checking if session encryption is turned on or off. Try this...

Edit /admin/whos_online.php and starting at line 387 you should see...

PHP Code:

    if (!$suhosinExtension) {
      if (strpos($session_data, 'cart|O') == 0) $session_data = base64_decode($session_data);
      if (strpos($session_data, 'cart|O') == 0) $session_data = '';
    } 


...change it to...

PHP Code:

      if (strpos($session_data, 'cart|O') == 0) $session_data = base64_decode($session_data);
      if (strpos($session_data, 'cart|O') == 0) $session_data = ''; 


Leave the commented out line below this commented out.

I hope that helps.

Regards,
Christian.

Bizarre. I can't replicate that scenario, with or without suhosin encryption enabled. And decoding the data if not already encoded can cause problems too.

So, other than encryption and encoding settings that we're checking for, what are we missing?

[CJPinder]

Hi Chris,

Bizarre. I can't replicate that scenario, with or without suhosin encryption enabled. And decoding the data if not already encoded can cause problems too.

So, other than encryption and encoding settings that we're checking for, what are we missing?

I think there are two flaws in the logic..
1) In ZC 1.3.9 all session data is base64 encoded by Zen Cart before being written to the database (file based sessions aren't touched). So the base64_decode() always needs to be done if the session data was read from the database.

2) Having the suhosin extension loaded doesn't necessarily mean that sessions are encrypted. It's fine to have suhosin loaded with session encryption turned off.

I think the only thing that needs to be done is base64_decode any database read session data and then check for 'cart|O'. If 'cart|O' is found then everything is good, if not then the session data is encrypted or broken.

Regards,
Christian.

[DrByte]

Right. I agree: we need to decode the data read from the database.
But that's not a total solution.
If suhosin encryption is enabled, then PHP will auto-decrypt it when we session_decode the data. So, hence the missing check regarding encryption.

Oddly enough, my test server, which has suhosin.session.encrypt On and suhosin.server.encode On and suhosin.stealth On, I can't get cart contents to show at all right now
And commenting out the lines you suggested earlier is having no effect.
Of course, this is the reverse situation to what was posted earlier too.
Puzzling.

[CJPinder]

Hi Chris,

If suhosin encryption is enabled, then PHP will auto-decrypt it when we session_decode the data. So, hence the missing check regarding encryption.

If you check for the presence 'cart|O' in the session string before doing the session_decode you can determine if the string is encrypted or not.

Personally I don't like the use of session_decode it messes with the Admin session data. Using unserialize() might be better but I've not tried it.

Oddly enough, my test server, which has suhosin.session.encrypt On and suhosin.server.encode On and suhosin.stealth On, I can't get cart contents to show at all right now

Erm, if suhosin.session.encrypt = On then you won't be able to see the cart contents because it is encrypted.

IMHO, a better solution would be to not touch the session data at all. Add the count of items in the visitor's cart and the total amount to the recorded whos_online information. Use that to show the traffic light indicators and number of items in cart + total spent instead of all the cart details. Less privacy concerns and no need to be naughty with session data.

Regards,
Christian.

[DrByte]

Ya, I agree on your last point, for sure! but everyone pestering to get whos-online to show details want to see the Cart Contents. They don't care about numbers or $$. They literally want to spy on exactly what their visitors are doing. I think it's just wrong. But who am I?

As to unserialize, that won't accomplish what's needed, and certainly won't work in the case of encrypted suhosin session content.
More research required.

[CJPinder]

Ya, I agree on your last point, for sure! but everyone pestering to get whos-online to show details want to see the Cart Contents. They don't care about numbers or $$. They literally want to spy on exactly what their visitors are doing. I think it's just wrong. But who am I?

Personally, I only use the information to check for shoppers before I do any quick changes to the live site.

I can't think of any useful insight that can be gained by seeing what visitor's have in their carts at any moment in time.

Reading the session data is just bad. I know this isn't a democracy but I'd vote for dropping it from the official release and let people do it with an add-on if they want.

As to unserialize, that won't accomplish what's needed, and certainly won't work in the case of encrypted suhosin session content.
More research required.

If the session data is encrypted then there is nothing you can do to read it.

Regards,
Christian.

[DrByte]

If the session data is encrypted then there is nothing you can do to read it.

Correct, but it does appear that session_decode() does decrypt it as part of the decoding process. Presumably part of suhosin support.

[CJPinder]

Correct, but it does appear that session_decode() does decrypt it as part of the decoding process. Presumably part of suhosin support.

If suhosin session encryption is on then session_decode will attempt to decrypt the data before decoding the session. By default suhosin uses the browser's User Agent string as the encryption key, so session_decode will only successfully decrypt the data if you are using the exact same browser as the visitor.

Just check if the session string is encrypted and don't use session_decode on it if it is.

Regards,
Christian.

[DazAna]

Thank you CJPinder. Your method works!

[wdkstudio]

The workaround is in v1.3.9e, which was released yesterday.

Any work around for v1.3.9f? My client has thousands of products and customers ring up with queiries while they're shopping so to be able to view the contents of the cart is a great asset.

Thanks