session time out/orders lost - payments via MiGS Module

**Green333** · 22 Nov 2011, 11:28 PM

We use the cc via migs (MasterCard, Australian Commonwealth Bank, bendigo) ANZ eGate payment module, and have upgraded to ZC v1.3.9h in the last few months.

1. Only since upgrade now have a ‘session time out error’ which only occurs as follows:

a. Customer enters cc details incorrectly (1st time), and is successfully returned to the site to try again; customer tries again (2nd time), enters details correctly, payment is deemed successful and accepted by bank; message is given that they will be returned to site. Returned to site: ‘whoops, your session has expired’. No record of order. No record of cart in account. No order email is generated.

b. This issue occurs even if the entire procedure (i.e. both steps) is completed in under a minute or if several minutes pass between step 1 and step 2 i.e. it makes no difference either way. This occurs irrespective of whether 2nd attempt contains ‘correct’ or ‘incorrect’ payment details

c. Please note that if payment is successful the 1st time, this problem does NOT occur

2. We have been hosted with our current web hosting provider for over a year and neither the web server nor the php configuration has changed in that time and as mentioned, the current issue only began after ZenCart was upgraded. During initial troubleshooting, our host had also increased the php timeout limit to 300 seconds (this has not made any difference as they said this is not a php time out concern (please see below))

3. When the problem occurs no errors are being logged either by PHP or the web server and there are no mention of timeouts being logged anywhere.

4. During troubleshooting, our host advised that the SSL access log show that when the timeout occurs, it is ZenCart itself which redirects the customer to this page:

http://www.our_site.com.au/index.php?main_page=time_out and that this is *not* a PHP timeout.

5. Upon your determining that no other customers were logged in at the time, I logged in and performed steps 1 and 2 i.e first the failed payment and then the successful payment and during that time, our web hosting provider monitored our the expiry column in our ZenCart session table and noticed that when I was logged in, my session expiry time was:

1321945400

then it was followed by:

1321945632

then by:

1321945595

and at some point after the payment failed, 1321945595 was replaced by 1321945636. So the initial sequence was:

1321945400
1321945632
1321945595

which after the failed payment in step 1, later became:

1321945400
1321945632
1321945636

after which I was then redirected to http://www.our_site.com.au/index.php?main_page=time_out.

I hope that someone can help, as this is a massive problem for us & our customers, and I'm not really sure where to go from here.

Many thanks in advance

**DrByte** · 23 Nov 2011, 12:55 AM

Zen Cart automatically logs the customer out if they make more than 3 failed payment attempts ... because that's exactly what credit-card-theft-rings do. It's called Credit Card Slamming.

If your customers are prone to constantly being unable to type in their credit card numbers, and you want to open yourself up to wider risk of abuse by credit card slamming, you can change that to a higher number by editing /includes/modules/name_of_your_template/checkout_process.php

Code:

if ($_SESSION['payment_attempt'] > 3) {

**Green333** · 23 Nov 2011, 07:08 AM

Thanks for your reply DrByte,

However, this is happening after only one incidence of failed details, followed by a correct submission of details.

Hoping that you could please help further?

Many thanks :)