IE11, Chrome: Sticky zenid on a store that is https-all-the-time

[lat9]

I'm currently trying to chase down the presence of a "sticky" zenid parameter on a site that is https-only running Zen Cart v1.5.4 and PHP 5.3.29. All the session-related settings look standard.

Code:

Session Directory 	/home/main_site/public_html/test_site/cache 	Info 
Cookie Domain 	True
Force Cookie Use 	False
Check SSL Session ID 	False
Check User Agent 	False
Check IP Address 	False
Prevent Spider Sessions 	True
Recreate Session 	True
IP to Host Conversion Status 	true 	 
Use root path for cookie path 	False
Add period prefix to cookie domain 	True

Code:

Session Support 	enabled
Registered save handlers 	files user sqlite
Registered serializer handlers 	php php_binary

Directive	Local Value	Master Value
session.auto_start	Off	Off
session.bug_compat_42	On	On
session.bug_compat_warn	On	On
session.cache_expire	180	180
session.cache_limiter	nocache	nocache
session.cookie_domain	.www.main_site.com	no value
session.cookie_httponly	On	Off
session.cookie_lifetime	0	0
session.cookie_path	/test_site/admindir/
session.cookie_secure	On	Off
session.entropy_file	no value	no value
session.entropy_length	0	0
session.gc_divisor	2	100
session.gc_maxlifetime	900	1440
session.gc_probability	1	1
session.hash_bits_per_character	4	4
session.hash_function	0	0
session.name	zenAdminID	PHPSESSID
session.referer_check	no value	no value
session.save_handler	user	files
session.save_path	/home/main_site/public_html/test_site/cache	/tmp
session.serialize_handler	php	php
session.use_cookies	On	On
session.use_only_cookies	On	On
session.use_trans_sid	0	0

I've traced the issue down to the highlighted code fragment in /includes/functions/html_output.php's zen_href_link function:

Code:

    while ( (substr($link, -1) == '&') || (substr($link, -1) == '?') ) $link = substr($link, 0, -1);
// Add the session ID when moving from different HTTP and HTTPS servers, or when SID is defined
    if ( ($add_session_id == true) && ($session_started == true) && (SESSION_FORCE_COOKIE_USE == 'False') ) {
      if (defined('SID') && zen_not_null(constant('SID'))) {
        $sid = constant('SID');
//      } elseif ( ( ($request_type == 'NONSSL') && ($connection == 'SSL') && (ENABLE_SSL_ADMIN == 'true') ) || ( ($request_type == 'SSL') && ($connection == 'NONSSL') ) ) {
      } elseif ( ( ($request_type == 'NONSSL') && ($connection == 'SSL') && (ENABLE_SSL == 'true') ) || ( ($request_type == 'SSL') && ($connection == 'NONSSL') ) ) {
        if ($http_domain != $https_domain) {
          $sid = zen_session_name() . '=' . zen_session_id();
        }
      }
    }

// clean up the link before processing
    while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);
    while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);

    if ( (SEARCH_ENGINE_FRIENDLY_URLS == 'true') && ($search_engine_safe == true) ) {
      while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);

      $link = str_replace('&', '/', $link);
      $link = str_replace('?', '/', $link);
      $link = str_replace('&', '/', $link);
      $link = str_replace('=', '/', $link);

      $separator = '?';
    }

    if (isset($sid)) {
      $_SESSION['href_link_sid'] = $sid . ((defined('SID') && zen_not_null (constant ('SID'))) ? ', SID' : ',not-SID');
      $link .= $separator . zen_output_string($sid);
    }

I added the bit to set that session variable with the results. On Chrome and IE11 (but not FireFox), that value is set with zenid=xxxxx,SID which indicates that the highlighted code that checks to see if the SID is set is being executed.

I can see in both browsers that the zenid cookie is, in fact, set and set to the value that's tracking in the zenid $_GET parameter. Anyone got any ideas?

[webchills]

I'm suffering as well from this behaviour in various https only 1.5.4 stores. Same with PHP 5.4 or 5.5. If you remove the zenid once from the url and refresh the page it is gone. I have tried lots of settings and different http to https rewrite rules. No success.
We should get rid of the whole http to https switch functionality in a https only store, it' s not needed there.
Very interested in a solution as well, can provide more details if needed.

[webchills]

Of course one can argue that it is useless to run the frontend SSL only. But it is a fact that many stores do it and many customers want it.

This thread is about an issue with permanent zenid when running the frontend SSL only.
Zen Cart allows to run the frontend SSL only as well as the backend. Everyone with a dedicated SSL will run their backend SSL only which is working perfectly fine.

But in the frontend we have a problem.
Debating the pros and cons of SSL only stores doesn`t bring us any further.

If someone decides to run the frontend SSL only it should work without such issues.
And for a SSL only configuration an admin switch would be welcome to disable the http to https switch functionality which seems to cause the zenid issue.

[webchills]

As long as there is no better solution I solved the issue in 4 different https only stores by changing in

includes/functions/html_output.php

line 16

from

Code:

function zen_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true, $static = false, $use_dir_ws_catalog = true) {

to

Code:

function zen_href_link($page = '', $parameters = '', $connection = 'SSL', $add_session_id = false, $search_engine_safe = true, $static = false, $use_dir_ws_catalog = true) {

No stikky zenid anymore, no issues with logging in, checking out, etc.

[mc12345678]

As long as there is no better solution I solved the issue in 4 different https only stores by changing in

includes/functions/html_output.php

line 16

from

Code:

function zen_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true, $static = false, $use_dir_ws_catalog = true) {

to

Code:

function zen_href_link($page = '', $parameters = '', $connection = 'SSL', $add_session_id = false, $search_engine_safe = true, $static = false, $use_dir_ws_catalog = true) {

No stikky zenid anymore, no issues with logging in, checking out, etc.

What are/were the HTTP_SERVER and secure version of the same in the includes/configure.php file? Did they both begin with https:? Only asking because it doesn't appear above as directly stated..

The other solution to the code change would be/have been to locate all zen_href_link references and possibly modify them to include either $request_type or 'SSL' applicably and/or a line to follow once in that function to set $connection to 'SSL' regardless of what it was fed, otherwise the above still could be served with 'NONSSL' to the function.

[webchills]

Here is the configuration

Settings in includes/configure.php

Code:

define('HTTP_SERVER', 'https://www.mydomain.com');
define('HTTPS_SERVER', 'https://www.mydomain.com');
define('ENABLE_SSL', 'true');
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');

Settings in Configuration > Sessions

Code:

Session Directory 	/xxx/xxx/www.mydomain.com/cache 	 
Cookie Domain 	True 	 
Force Cookie Use 	False 	
Check SSL Session ID 	False 	
Check User Agent 	False 	
Check IP Address 	False 	
Prevent Spider Sessions 	True 	
Recreate Session 	True 	
IP to Host Conversion Status 	true 	
Use root path for cookie path 	False 	
Add period prefix to cookie domain 	False

PHP Settings

Code:

PHP Version: 5.5.26
php_flag session.use_trans_sid off
php_flag session.use_only_cookies off

Entries in .htaccess :

Code:

RewriteCond %{HTTPS} off 
RewriteCond %{HTTPS_HOST} !^www.mydomain.com$ [NC]
RewriteRule ^(.*)$ https://www.mydomain.com/$1 [L,R=301]

[lat9]

As long as there is no better solution I solved the issue in 4 different https only stores by changing in

includes/functions/html_output.php

line 16

from

Code:

function zen_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true, $static = false, $use_dir_ws_catalog = true) {

to

Code:

function zen_href_link($page = '', $parameters = '', $connection = 'SSL', $add_session_id = false, $search_engine_safe = true, $static = false, $use_dir_ws_catalog = true) {

No stikky zenid anymore, no issues with logging in, checking out, etc.

Nice one, webchills! I'll give that a try.

[DrByte]

Peculiarly, I've not seen this "sticky" session issue except where the server's own configuration was to blame. And at this present moment I don't recall what exactly about the server config was adjusted to resolve the problem.

However, I'm 90% certain that simply setting ENABLE_SSL to 'false' should resolve the issue, as that's what's causing ZC to regenerate/recalculate session data. Since you've already got both HTTP_SERVER and HTTPS_SERVER set to an https URL there's no need to use the ENABLE_SSL flag to negotiate any auto-switching between http and https.
And doing that would also remove the need for your code changes to html_output.php, as it's basically doing the same thing.

Here is the configuration

Settings in includes/configure.php

Code:

define('HTTP_SERVER', 'https://www.mydomain.com');
define('HTTPS_SERVER', 'https://www.mydomain.com');
define('ENABLE_SSL', 'true'); // change to false 
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');

[lat9]

Nice one, DrByte! That did the trick. I was wrestling with the previous change, not wanting to make core-file changes if not necessary.

[webchills]

However, I'm 90% certain that simply setting ENABLE_SSL to 'false' should resolve the issue.

That was one of the first things I tried, but unfortunately this does not resolve the sticky zenid - at least in the stores I know. Only the code change did the trick.