I'm currently trying to chase down the presence of a "sticky" zenid parameter on a site that is https-only running Zen Cart v1.5.4 and PHP 5.3.29. All the session-related settings look standard.
Code:
Session Directory /home/main_site/public_html/test_site/cache Info
Cookie Domain True
Force Cookie Use False
Check SSL Session ID False
Check User Agent False
Check IP Address False
Prevent Spider Sessions True
Recreate Session True
IP to Host Conversion Status true
Use root path for cookie path False
Add period prefix to cookie domain True
Code:
Session Support enabled
Registered save handlers files user sqlite
Registered serializer handlers php php_binary
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain .www.main_site.com no value
session.cookie_httponly On Off
session.cookie_lifetime 0 0
session.cookie_path /test_site/admindir/
session.cookie_secure On Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 2 100
session.gc_maxlifetime 900 1440
session.gc_probability 1 1
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name zenAdminID PHPSESSID
session.referer_check no value no value
session.save_handler user files
session.save_path /home/main_site/public_html/test_site/cache /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies On On
session.use_trans_sid 0 0
I've traced the issue down to the highlighted code fragment in /includes/functions/html_output.php's zen_href_link function:
Code:
while ( (substr($link, -1) == '&') || (substr($link, -1) == '?') ) $link = substr($link, 0, -1);
// Add the session ID when moving from different HTTP and HTTPS servers, or when SID is defined
if ( ($add_session_id == true) && ($session_started == true) && (SESSION_FORCE_COOKIE_USE == 'False') ) {
if (defined('SID') && zen_not_null(constant('SID'))) {
$sid = constant('SID');
// } elseif ( ( ($request_type == 'NONSSL') && ($connection == 'SSL') && (ENABLE_SSL_ADMIN == 'true') ) || ( ($request_type == 'SSL') && ($connection == 'NONSSL') ) ) {
} elseif ( ( ($request_type == 'NONSSL') && ($connection == 'SSL') && (ENABLE_SSL == 'true') ) || ( ($request_type == 'SSL') && ($connection == 'NONSSL') ) ) {
if ($http_domain != $https_domain) {
$sid = zen_session_name() . '=' . zen_session_id();
}
}
}
// clean up the link before processing
while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);
while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);
if ( (SEARCH_ENGINE_FRIENDLY_URLS == 'true') && ($search_engine_safe == true) ) {
while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);
$link = str_replace('&', '/', $link);
$link = str_replace('?', '/', $link);
$link = str_replace('&', '/', $link);
$link = str_replace('=', '/', $link);
$separator = '?';
}
if (isset($sid)) {
$_SESSION['href_link_sid'] = $sid . ((defined('SID') && zen_not_null (constant ('SID'))) ? ', SID' : ',not-SID');
$link .= $separator . zen_output_string($sid);
}
I added the bit to set that session variable with the results. On Chrome and IE11 (but not FireFox), that value is set with zenid=xxxxx,SID which indicates that the highlighted code that checks to see if the SID is set is being executed.
I can see in both browsers that the zenid cookie is, in fact, set and set to the value that's tracking in the zenid $_GET parameter. Anyone got any ideas?
Bookmarks