It seems that changes made to Chromium browsers have increased the number of session timeout when completing a payment and being redirected back to the store to generate an order if.
HTML Code:
Zen Cart 1.5.7
Database Patch Level: 1.5.7
v1.5.7 [2020-12-18 18:45:24] (Version Update 1.5.6->1.5.7)
v1.5.6c [2020-12-18 18:45:04] (Version Update 1.5.5->1.5.6c)
v1.5.5a [2016-08-17 00:53:15] (Version Update 1.5.4->1.5.5a)
v1.5.4 [2016-08-17 00:53:09] (Version Update 1.5.3->1.5.4)
v1.5.3 [2016-08-17 00:53:01] (Version Update 1.5.2->1.5.3)
v1.5.2 [2016-08-17 00:52:49] (Version Update 1.5.1->1.5.2)
v1.5.2 [2016-08-17 00:50:14] (Version Update 1.5.1->1.5.2)
v1.5.2 [2016-08-17 00:49:04] (Version Update 1.5.1->1.5.2)
v1.5.1 [2013-11-04 07:00:39] (New Installation)
v1.5.1 [2013-11-04 07:00:39] (New Installation)
I am using Moneris hosted Pay Page which does redirect the user back to thee store when a payment is cleared. Unfortunately, I have not been able to pin it down to anything yet and I read here and there that others are experiencing it but not can't tell the scale of the problem.
The site does use and Force SSL on all pages.
my init_session file has
Code:
$samesite = (defined('COOKIE_SAMESITE')) ? COOKIE_SAMESITE : 'lax';
if (!in_array($samesite, ['lax', 'strict', 'none'])) $samesite = 'lax';
if (PHP_VERSION_ID >= 70300) {
session_set_cookie_params([
'lifetime' => 0,
'path' => $path,
'domain' => (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''),
'secure' => $secureFlag,
'httponly' => true,
'samesite' => $samesite,
]);
} else {
session_set_cookie_params(0, $path .'; samesite='.$samesite, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, true);
}
and my HTTPD config has the following
Code:
Header set Set-Cookie HttpOnly;Secure;SameSite=None
#Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Header always set X-Frame-Options DENY
TraceEnable Off
Based on my testing (I don't have a mac to test with), Microsoft Edge the original is the only one that worked for me.
I checked version 1.5.7C for any possible changes and there is nothing there that would address this issue of session timeout upon being redirected from payment gateway.
So I decide I am getting lots of heat getting customer charged and not having an order ID. knowing I am running PHP 7.2, I changed init_session.php to this
Code:
if (PHP_VERSION_ID <= 70300) {
and that seems to work. Since I just made the change today, I can't tell in real life application whether it is successful or not.
I welcome feedback on the matter.
Bookmarks