[Fixed v1.5.1] page_not_found on session timeout?

[lat9]

Running 1.5.0 locally with no add-ons. If a customer signs in, adds something to their cart, and starts the checkout process but then gets distracted so that the session timeout kicks in, the next time they press a "Continue" button they're taken to the page_not_found page.

I've traced this issue down to the following code section within /includes/init_includes/init_sanitize.php:

Code:

  $csrfBlackListLocal = array();
  $csrfBlackList = (isset($csrfBlackListCustom)) ? array_merge($csrfBlackListLocal, $csrfBlackListCustom) : $csrfBlackListLocal;
  if (! isset ( $_SESSION ['securityToken'] ))
  {
    $_SESSION ['securityToken'] = md5 ( uniqid ( rand (), true ) );
  }
  if ((isset ( $_GET ['action'] ) || isset($_POST['action']) ) && $_SERVER['REQUEST_METHOD'] == 'POST')
  {
    $mainPage = isset($_GET['main_page']) ? $_GET['main_page'] : FILENAME_DEFAULT;
    if (!in_array($mainPage, $csrfBlackList))
    {
      if ((! isset ( $_SESSION ['securityToken'] ) || ! isset ( $_POST ['securityToken'] )) || ($_SESSION ['securityToken'] !== $_POST ['securityToken']))
      {
        zen_redirect ( zen_href_link ( FILENAME_PAGE_NOT_FOUND, '', $request_type ) );
      }
    }
  }

What is happening is that the securityToken is getting reset (due to the session timeout) so that the value in the $_SESSION is not equal to the value in the $_POST array. While the $mainPage value is valid, the $csrfBlackList array value is empty, resulting ultimately in a redirect to the page_not_found page.

I'm not sure what the $csrfBlackList code is supposed to be doing (it was added for v1.5.0), so I'm wont to simply remove it.

Any help would be appreciated.

[lat9]

FWIW, commenting out the entire code fragment above results in the session timeout redirecting to the time_out page (like it does in previous versions). Any word on what function that code fragment's intended function is/was?

[caffeitalia]

Is this a related problem?
http://www.zen-cart.com/forum/showpo...73&postcount=1

TIA

[lat9]

caffeitalia, for this issue to be related to yours the customer would need to be signed into your store and then leave your store's page idle for 24+ minutes.

Any word from the devs on this issue?

[DrByte]

The change that will be in the next release is as follows:

Code:

        zen_redirect ( zen_href_link ( FILENAME_PAGE_NOT_FOUND, '', $request_type ) );

Code:

        zen_redirect ( zen_href_link ( FILENAME_TIME_OUT, '', $request_type ) );

[lat9]

Thanks for the update, DrByte. I'll make that change to my 1.5.0 installations.