Message "Whoops! Your session has expired" after upgrading site

[slowturltle]

Upgraded from ZC version 1.3.9h to 1.5.5f and imported old database into a new one. PHP version 7.1.24. Site URL is http://fishid.com/zenstore5

Adding books to the cart, registering as a user, clicking forgot password or even using the contact us page results in "Whoops! Your session has expired".

I noticed that any action after the initial page adds an extra "/" after the domain name, could this be part of the problem?

[lat9]

That extra / is most likely coming from your definitions in /includes/configure.php. For your current setup (no SSL available), the top portion of that file should look like:

Code:

/**
 * Enter the domain for your store
 * HTTP_SERVER is your Main webserver: eg-http://www.yourdomain.com
 * HTTPS_SERVER is your Secure/SSL webserver: eg-https://www.yourdomain.com
 */
define('HTTP_SERVER', 'http://fishid.com');
define('HTTPS_SERVER', 'https://fishid.com');

/**
 *  If you want to tell Zen Cart to use your HTTPS URL on sensitive pages like login and checkout, set this to 'true'. Otherwise 'false'. (Keep the quotes)
 */
define('ENABLE_SSL', 'false');

/**
 * These DIR_WS_xxxx values refer to the name of any subdirectory in which your store is located.
 * These values get added to the HTTP_CATALOG_SERVER and HTTPS_CATALOG_SERVER values to form the complete URLs to your storefront.
 * They should always start and end with a slash ... ie: '/' or '/foldername/'
 */
define('DIR_WS_CATALOG', '/zenstore5/');
define('DIR_WS_HTTPS_CATALOG', '/zenstore5/');

[mc12345678]

As to the session issue in relation the upgrade, did you transfer your existing template and then incorporate the necessary template changes, did you use one of the default templates of the software or obtain one from somewhere else?

[slowturltle]

Thank you for helping-- lat9. This fixed my problem.

[lat9]

Thank you for helping-- lat9. This fixed my problem.

You're very welcome. Thanks for the report back!

[linuxguy2]

This may help some of you that are getting one of the dreaded Whoop's errors!

Out of the box install of ZC V1.5.6 or V1.5.6a "classic" template (may be relative to earlier versions too )
Did NOT experience this behavior with the "responsive_classic" template which leads me to believe this should be fixed in the "classic" code.
Also failed with PHP 5.6 thru 7.2 versions.

Was getting the "Whoops! Your session has expired" error but only when I clicked on the "Add Selected to Cart" button when in the "All Products , New Products or Featured Products" pages.
The regular "Products Pages" worked OK.
When logged in the message changed to "Whoops! Sorry, but you are not allowed to perform the action requested."
No error messages in the "Logs" folder!

My solution was to change the "config.php" to render in SSL

Code:

<?php
/**
 * @package Configuration Settings
 * @copyright Copyright 2003-2018 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * File Built by Zen Cart Installer on Fri Jan 18 2019 16:09:28
 */

/*************** NOTE: This file is VERY similar to, but DIFFERENT from the "admin" version of configure.php. ***********/
/***************       The 2 files should be kept separate and not used to overwrite each other.              ***********/

/**
 * Enter the domain for your store
 * HTTP_SERVER is your Main webserver: eg-http://www.yourdomain.com
 * HTTPS_SERVER is your Secure/SSL webserver: eg-https://www.yourdomain.com
 */
WAS:
define('HTTP_SERVER', 'http://zzzzz.com');
CHANGED TO:
define('HTTP_SERVER', 'https://zzzzz.com');
define('HTTPS_SERVER', 'https://zzzzz.com');

/**
 *  If you want to tell Zen Cart to use your HTTPS URL on sensitive pages like login and checkout, set this to 'true'. Otherwise 'false'. (Keep the quotes)
 */
define('ENABLE_SSL', 'true');

I forget the version and/or plugin but at one time I had to change the HTTP:// to HTTPS:// in one of the php scripts which fixed a similar error.

[mc12345678]

This may help some of you that are getting one of the dreaded Whoop's errors!

Out of the box install of ZC V1.5.6 or V1.5.6a "classic" template (may be relative to earlier versions too )
Did NOT experience this behavior with the "responsive_classic" template which leads me to believe this should be fixed in the "classic" code.
Also failed with PHP 5.6 thru 7.2 versions.

Was getting the "Whoops! Your session has expired" error but only when I clicked on the "Add Selected to Cart" button when in the "All Products , New Products or Featured Products" pages.
The regular "Products Pages" worked OK.
When logged in the message changed to "Whoops! Sorry, but you are not allowed to perform the action requested."
No error messages in the "Logs" folder!

My solution was to change the "config.php" to render in SSL

Code:

<?php
/**
 * @package Configuration Settings
 * @copyright Copyright 2003-2018 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * File Built by Zen Cart Installer on Fri Jan 18 2019 16:09:28
 */

/*************** NOTE: This file is VERY similar to, but DIFFERENT from the "admin" version of configure.php. ***********/
/***************       The 2 files should be kept separate and not used to overwrite each other.              ***********/

/**
 * Enter the domain for your store
 * HTTP_SERVER is your Main webserver: eg-http://www.yourdomain.com
 * HTTPS_SERVER is your Secure/SSL webserver: eg-https://www.yourdomain.com
 */
WAS:
define('HTTP_SERVER', 'http://zzzzz.com');
CHANGED TO:
define('HTTP_SERVER', 'https://zzzzz.com');
define('HTTPS_SERVER', 'https://zzzzz.com');

/**
 *  If you want to tell Zen Cart to use your HTTPS URL on sensitive pages like login and checkout, set this to 'true'. Otherwise 'false'. (Keep the quotes)
 */
define('ENABLE_SSL', 'true');

I forget the version and/or plugin but at one time I had to change the HTTP:// to HTTPS:// in one of the php scripts which fixed a similar error.

Do you also have an .htaccess file setup to force https as part of this?

[linuxguy2]

Do you also have an .htaccess file setup to force https as part of this?

No, but my hosting provider defaults to SSL (https://).

I put all my stores in a folder off of root with the default .htaccess files ZC installs.
i.e.
/public_html/156a/(ZC Files) /public_html/155f/(ZC Files)
so my store(s) URL's are zzzzz.com/156a or zzzzz.com/155f

So the .htaccess files are all the same for both the "responsive_classic"& "classic" templates.

Note that the responsive template works OK.

The contents of my /public_html folder has the following .htaccess entries which makes it the same for all stores. As you can see no https configuration there.

Options -Indexes

# php -- BEGIN cPanel-generated handler, do not edit
# NOTE this account's php is controlled via FPM and the vhost, this is a place holder.
# Do not edit. This next line is to support the cPanel php wrapper (php_cli).
# AddType application/x-httpd-ea-php71 .php .phtml
# php -- END cPanel-generated handler, do not edit

<Files 403.shtml>
order allow,deny
allow from all
</Files>
deny from 23.128.25.0/24
deny from 23.128.124.0/24
etc...

[mc12345678]

Same concept (host defaults to SSL). Site/visitors forced to all https; however, links within the site are directing to http until actually ready for checkout, which likely will cause session issues.

[pixelpadre]

Ugg....2021 and this is still a relevant thread.

I installed ZC today and everything went smoothly. Everything worked...until I decided to turn off https. Ok, you are wondering why? Well some of my customers come from countries that will not allow https transmissions for obvious reasons.

After changing ssl true to ssl false in both config files I am getting the dreaded whoops message. Oddly this happened when completing the contact us form. With both config files set to false, the whoops message came up on a page that was https://.........index.php?main_page=time_out

I know I am splitting hairs. But I thought someone might care about this. I can and will go back to full https at the risk of losing customers.