Problems since host upgraded PHP to suPHP

[DrByte]

Do these symptoms only occur on your admin side? ie: is the storefront okay?

Why are you using subdomains?
Why are you using shared-ssl?

[RatMonkey]

DrByte,

Storefront is not OK. If shared SSL is enabled in checkout, then sessions expire at the point of clicking on the "go to checkout button". I get the "oops your session has expired" message each time I try to checkout under shared SSL.

a) Sorry, I meant add on domains not subdomains. Forgive me, my brain is getting a bit fried over this. The reason I use add on domains is that I currently host five domains on one hosting account. Using add on domains on one hosting account is cheaper than five hosting accounts.

b) Why shared SSL? Same reason. Five dedicated certs would be expensive. Shared SSL is free. Why am I so cost concious? Becuase my sites are not generating revenue at the moment so I need to limit my outgoings until I can get some money coming in.

as I mentioned in my previous host of today, the session expiry seems to happen at the point of moving between http and https server. It seems to happen both ways: https to http (in admin) and http to https (in store, at checkout).

Currently sessions are stored in the database. Would storing session in a folder make any difference?

Really would like to get to the bottom of this if possible - it's bugging me big style.

[RatMonkey]

Dr Byte.

My new host seems to have solved the problem by creating a php.ini file and putting in the statement:

suhosin.session.encrypt=off

From what I understand, the suhosin php "hardening" patch by default has suhosin.session.encrypt=on. I understand this encrypts the session ID's that Zen Cart generates. It lools like there may be a problem passing session ID's between http and https servers when encrypted. I'm guessing.

Do you have any comment about setting suhosin.session.encrypt=off? Any issues for Zen Cart?

Not sure if I'm allowed to but may I credit Birch Hosting for working this out ( www.birchhosting.com ). A first class web host with excellent tech support - and they offer Zen Cart as a one click install. Very competively priced too.

Rat

[Qdixon]

Ok Here is the thing, this may work specifically for your situation on your specific host.

Zen Cart users do not need to disable suhosin.session.encrypt to off because Zen Cart works just fine with it set to ON. It is not a Zen Cart issue.

Suhosin and Zen Cart are compatible. Suhosin and Shared SSL are compatible.

The situation you have will have more to do with how your host has things setup as there must be something out of the ordinary running or a misconfiguration on the server. As suggested in a previous post I tested this and could not replicate this issue on our server testing environments. This in short means that it is localized to your hosting company.

Reason why I have posted this is because stuff like this travels like wildfire and gets misinterpreted as gospel.

[RatMonkey]

Qdixon,

Sure, I understand that this is not a "one size fits all" solution. And if Zen Cart usually works fine with suhosin.session.encrypt=on then the suhosin.session.encrypt=off solution is just masking the problem not identifying the root cause.

What I can't figure out is that the SAME problem occured on TWO webhosts. Can both of them have messed up their server configurations resulting in the same error?

In the meantime I'm happy that my sites are working without having to fork out for a bunch of dedicated SSL certs.

Ratty M

[schoolboy]

Not sure if I'm allowed to but may I credit Birch Hosting for working this out. A first class web host with excellent tech support - and they offer Zen Cart as a one click install. Very competively priced too.

Rat

Hmmm... just about every "popular and cheap" host offers "one-click install" which is actually the WORST POSSIBLE WAY TO INSTALL COMPLEX SOFTWARE, and if they are advocating that you install programs using these "one-click" systems then they are actually doing you a disservice.

[RatMonkey]

Schoolboy,

I must say I've never used a one click install. To me offering a one-click indicates that the host supports Zen Cart (or is supposed to). As I was moving host I followed the Zen Cart recommended procedure for moving to a different server to make sure the templates and mySQL databases (including an installed patch on one site) migrated properly - and the transfer worked fine.

Regardless of offering one click installs, Birch Hosting is a good host compared to my previous host: I now have twice the space and bandwidth, technical support that works, unlimited add-on domains, sub domains and mySQL databases and I'm paying 20% less than with my previous host! I can't argue with that.

[schoolboy]

It's not about what they "offer". This gives you no indication of their competence.

QDixon and DrByte are the LEAD DEVELOPERS for zencart, so they know what they are talking about. If they are telling you that the problem lies with your host, then you should believe that to be 100% true.

Practically every webhost offers a range of "products" these days - most are subscriptions to 3rd-party providers, and this is also true of WHM and C-PANEL.

The fact that they offer these "tools" and "services" is no indicator of being a good host.

Your host appears to be incompetent.

We have installed over 300 Zencart programs since 2004, and because we did a LOT of research first on who (in the hosting industry) knows what they are doing, we have NEVER EVER had a problem with an installation.

Your host is clearly incompetent. Sorry to be so frank, but they are.

[DrByte]

Your host appears to be incompetent.

We have installed over 300 Zencart programs since 2004, and because we did a LOT of research first on who (in the hosting industry) knows what they are doing, we have NEVER EVER had a problem with an installation.

Your host is clearly incompetent. Sorry to be so frank, but they are.

schoolboy is indeed making some very strong and broad statements. I don't have enough actual information about your host to be able to make the same statements; however, I am indeed of the opinion that your host needs to take an active role in sorting out the problems you're encountering. If they're worth their salt then they'll see that their time investment in fixing this will actually benefit all of their customers, not just you. Hopefully they can see that bigger picture. If not, I question whether your "20% savings" is actually savings at all.

[RatMonkey]

Schoolboy,

Now you've got me interested; I'd like to benefit from your research if I may. Can you please recommend a host who is running suPHP, Apache suExec and the Suhosin patch. I'd like to sign up with them and see if the problem replicates.