404 Error when adding to cart (session related)

[Matt H]

Sometimes when adding a product to the cart you are presented with a 404 error. This happens when a session expires but is not limited to customers who are logged in.

You can replicate this by adjusting the zenid cookie and clicking 'Add to cart' on a product page.

I've adjusted the init_sanitize.php file to direct to FILENAME_TIME_OUT as opposed to FILENAME_PAGE_NOT_FOUND which is obviously more helpful but it doesn't explain why this would happen randomly. It only seems to happen when visiting the site again much later in the day or when the session has actually expired.

Should this not try to combine the zenid provided in post variables to the cookie, rather than simply throwing an error? A lot of my customers are reporting that they can't add products to their cart page...

[wilt]

Hi,

There is another thread which covers the incorrect redirtect to page_not_found at http://www.zen-cart.com/showthread.p...ession-timeout

And we have corrected that in our internal repository to use FILENAME_TIME_OUT

However we agree that is not optimal, and there should be some better way of handling for customers who are logged out.

Its not possible to do what you ask (using zenid/cookie) to reinstate a customer session for both techical and security reasons. We are considering some options an will let you know the outcome.

[Matt H]

Thanks for the reply and confirmation.

Is there anything temporarily that can be done?

Perhaps I could detect referrer page and if contains 'action=add_product' then perhaps reload the page in an attempt to grab a new zenid...?

[wilt]

Well I guess the real question is, why are you seeing so many complaints from customers.
Given a standard session timeout of 24 minutes.

Is your site geared to customers building large baskets, or is there another reason they may 'sit around' before adding products.

On the techical side

If the session has timed out, then the securityToken is now no longer accessible, and hence the post of add to cart data will fail.
Furthermore because the session has timed out, there is a good probability that garbage collection has taken place, so any session information indexed by the zenid will also have disappeared
because of this there is no information availabe to code to 'know' in what state the system was before the session timed out, so we can't even create a new session for the customer as we have no access to knowing who the customer is.

Even if the garbage collection had not occured, building a new customer session based on the information indexed by the zenid is fraught with security problems, The whole point of the securityToken is that we are mitigating against some thirdparty gaining access to the customers session through some socially engineered session hijack.

[Matt H]

That's where the main issue is... There doesn't neccesarily have to be a 24 minute gap.

I experienced the problem this morning when testing in Chrome. I opened the browser, visited the website, added something to the cart and voila - 404. There were plenty of pages I hit for a new session to be generated but instead it must have continued to try and use an old one? I had previously visited the website in Chrome a couple of days earlier so it's almost as if old sessions aren't being removed? The settings stored with the cookie seem to be fine though - no expires date set just a "session only" variable.

My suggestion was to detect when a session has timed out when adding to cart and to create a new session when this happens, rather than telling them it's timed out. If it's a genuine timeout then they should realise when they get to the checkout and it prompts them to login... at which stage their cart will be combined anyway.

[DrByte]

What are your settings in Admin->Configuration->Sessions ?

[Matt H]

What are your settings in Admin->Configuration->Sessions ?

Session Directory = /home/website8/public_html/cache
Cookie Domain = True
Force Cookie Use = True
Check SSL Session ID = True
Check User Agent = False
Check IP Address = False
Prevent Spider Sessions = True
Recreate Session = True
IP to Host Conversion Status = true
Use root path for cookie path = False
Add period prefix to cookie domain = False

[DrByte]

wilt and I were talking about this some more:
Does changing "Force Cookie Use" to false help?

[Matt H]

wilt and I were talking about this some more:
Does changing "Force Cookie Use" to false help?

The website is currently live for a client with no staging environment available so I will have to test this on another website but I'll give it a trial and let you know of the results. Thanks.

[i-make-robots]

I'm curious to know the results. I'm experiencing similar issues. Thank you!