Cookies

[Dave224]

What's the story on cookies? Does Zen Cart require cookies to be enabled in user's browsers or not? An article by Dr. Byte suggests they are. But I've just run a test case with all cookies removed and all cookies blocked and everything appears to work OK. Did not see any cookies in the browser after the test, just something in cache. Is cache used instead? And is the cache content the same as if it were a cookie, i.e., a session id? Also is behavior different if the store does not use SSL for all pages? The test store uses SSL on all pages. Trying to develop an accurate privacy statement.

[carlwhat]

i would refer to this page:

https://www.zen-cart.com/content.php?317-cookies

i have looked at the cookies i have for a couple of zen-cart sites and can say the above referenced page appears accurate.

with regards to your ssl question, i do NOT believe ZC handles cookies differently with regards to http v https pages. this would have to be explicitly done in the code, and considering a base ZC install only has 1 cookie, i do not think ZC has any specific behavior differences for http v https.

hope that helps.

best.

[Dave224]

Thank you for your response. The article you cited is the article I referenced in my post. I have now repeated my experiment clearing cookies and cache, as well as blocking cookies and cache in a browser. Zen Cart still works. That's great I guess, but if cookies are required but blocked, and I still get a successful order, how does ZC do it? Is zenid stored someplace else?

[carlwhat]

dave,
i can only do some limited testing for you. i do not have all of my resources available to do a more thorough exam.

that said, here is what i have found. if i remove the cookie from my browser, and then BLOCK reading and writing of cookie usage on my browser, my ZC install still "works"; but not really. when i add something to the cart, and then go to the shopping cart page, there is nothing there. not an ideal situation.... in fact, not really workable....

however, this may be due to my URL rewriting, which may have removed the zenid= parameter, which ZC uses in lieu of the cookie. unfortunately i can not test that hypothesis at this time.

my testing was also done on a site using v155; not sure how the difference in v151 would work...

i would refer you to this post:

https://www.zen-cart.com/showthread....28#post1255828

it sounds like if the user is blocking cookies, then ZC will add the zenid to the URL to keep the session data.

hope that helps!

best.

[Dave224]

Thanks again carlwhat! Your post clarified everything for me. I have Force Cookie Use (in admin/configuration/sessions) set to false which is the default. So zenid appears in the URL for all pages, except the main page, whether the browser blocks cookies or not. And you can check out, at least with PayPal Express, with cookies blocked or not. So it would seem to me that cookies are not required to be enabled in the browser if Force Cookie Use is set to false, at least for the setup of my store.

However, it would be nice to have the zenid not appear in the URL if cookies are not blocked in the browser with Force Cookies Use set to false, to provide an extra bit of security. In other words, use zenid in the URL only when necessary when Force Cookie Use is false.

I tried some experiments with Force Cookie Use set to true; zenid does not appear in the URL when cookies are enabled on the browser, you can add products to the cart, and checkout normally, even with PayPal Express. This is all good, and better than when Force Cookie Use is false, as long as cookies are enabled in the browser. But if cookies are not enabled in the browser, you get the cookie usage page ("cookies must be enabled") when attempting to login or create an account. If you continue without logging in, and try to add a product to the cart, you get a "Whoops, the session has expired" warning, and further attempts to login fail.

I observed no difference in behavior between ZC 1.5.1 and ZC 1.5.5f in my experiments.

All the best,
Dave

[mc12345678]

A few things here, first when force cookies is set to false, the zenid is supposed to only show on the browser when the first link is clicked after landing on the page and an existing/unexpired cookie is present. On the second click, the now "all present" zenid is supposed to have caused a cookie to be created (if possible) and if not to then carry the zenid on the browser. If force cookie is set to true, then the process of converting zenid to a cookie is short-circuited to immediately attempt to create a cookie and carry the associated session "link" through the Cooke. The inability of a browser to store the cookie (because it is blocked) leads to the cookie and timeout screens.

That said, a recent post related to the zenid remaining on the browser path indicated that the issue was resolved once php was upgraded to 7.something (can't recall if it was 0 or 1). But that would only be possible with the ZC 1.5.5 series. Personally, I'm not sure if this is a factor of php and associated server configuration or some other facet, but it resolved a long observed issue for the original poster.

[DrByte]

Zen Cart uses only first-party cookies.
Third-party cookies are those dropped by external services other than the website/domain that you're currently on. (ie: an embedded YouTube video might drop a youtube.com cookie if 3rd-party cookies are enabled)

Sane users will allow first-party cookies, but disallow third-party cookies. This is the usual default for most browsers anyway.
In this case customers SHOULD leave "cookies enabled", and also turn on the setting to "disallow 3rd-party cookies" for optimal experience, and amicable privacy protection, with most sites, including ZC stores.