Bambora Payform - Session expired after some payments instead of checkout_success

[lat9]

Now tried the second code, but it got worst. It started to log me out of my account every time after payment.
Before I could't catch this in Safari, but with second code same problem started on Safari too - logged out after every payment.
Changed back to first variant - works on Safari again. At least did not log me out after several attempts.

Try using the second variant, but also create a file named /includes/extra_datafiles/set_samesite_cookie.php containing:

PHP Code:

<?php
define('COOKIE_SAMESITE', 'none');

That will enable you to use the updated version (which will be applied on a zc157a upgrade) and keep the Samesite=None setting.

[kalm]

Thank you, Cindy!
Seems to be it started to work
At least my 10 attempts did not catch the problem. Also on Developer Tool Console I do not see blocked cookies any more when I come back to store after payment.
Need to test for few days for I can say for sure a problem is solved.
I will come with the update.

[robertluer]

Thanks Cindy, second variant of that code with the extra file worked for me too.

[kalm]

Hi!

I was testing the change for a few days. Not many real orders were paid via Bambora I have problem with. First 9 orders were placed with no problem, but today I got one order with time_out page.
This is customer's session before payment:



I am not sure what browser he was using.

I was trying to recreate the problem myself in Chrome. Before the update Cindy offered, I could easily get time_out page just pushing Confirm Order Button, going to Bambora's payment page and cancel payment. But now I couldn't, even trying over 30 times. Same with Safari.

But here he is, the customer with real order, who gets the time_out page again

[mc12345678]

Hi!

I was testing the change for a few days. Not many real orders were paid via Bambora I have problem with. First 9 orders were placed with no problem, but today I got one order with time_out page.
This is customer's session before payment:



I am not sure what browser he was using.

I was trying to recreate the problem myself in Chrome. Before the update Cindy offered, I could easily get time_out page just pushing Confirm Order Button, going to Bambora's payment page and cancel payment. But now I couldn't, even trying over 30 times. Same with Safari.

But here he is, the customer with real order, who gets the time_out page again

When looking over the sequence of events/visits by that visitor, what time differences are involved? Even if the above corrections fixed the base problem, if the session expires along the checkout process then a time_out will be presented. Yes, it has an unfortunate effect on the sale and record keeping if the initial transaction can not be tied back to what is likely a completed financial transaction.

[kalm]

I was watching this particular customer placing an order on Who's online page. Is was not many seconds from the moment he pushed Confirm Order button and after the payment appeared back to store with time_out and new session id number. So it this case problem is not that the session just expired.

Just wondering, if now the problem is not Samesite cookies anymore (it can't be as the code 100% fixed it, right?), what else it can be?

As plugin itself, I contacted Bambora and informed them about my problem. If it is a plugin issue...

[kalm]

Unfortunately, I am still getting time_outs from time to time. Problem is not 100% fixed.

[ink]

Unfortunately, I am still getting time_outs from time to time. Problem is not 100% fixed.

Did you every resolve this?

[riomaha]

It seems that changes made to Chromium browsers have increased the number of session timeout when completing a payment and being redirected back to the store to generate an order if.

HTML Code:

Zen Cart 1.5.7
Database Patch Level: 1.5.7
v1.5.7   [2020-12-18 18:45:24]   (Version Update 1.5.6->1.5.7)
v1.5.6c   [2020-12-18 18:45:04]   (Version Update 1.5.5->1.5.6c)
v1.5.5a   [2016-08-17 00:53:15]   (Version Update 1.5.4->1.5.5a)
v1.5.4   [2016-08-17 00:53:09]   (Version Update 1.5.3->1.5.4)
v1.5.3   [2016-08-17 00:53:01]   (Version Update 1.5.2->1.5.3)
v1.5.2   [2016-08-17 00:52:49]   (Version Update 1.5.1->1.5.2)
v1.5.2   [2016-08-17 00:50:14]   (Version Update 1.5.1->1.5.2)
v1.5.2   [2016-08-17 00:49:04]   (Version Update 1.5.1->1.5.2)
v1.5.1   [2013-11-04 07:00:39]   (New Installation)
v1.5.1   [2013-11-04 07:00:39]   (New Installation)

I am using Moneris hosted Pay Page which does redirect the user back to thee store when a payment is cleared. Unfortunately, I have not been able to pin it down to anything yet and I read here and there that others are experiencing it but not can't tell the scale of the problem.

The site does use and Force SSL on all pages.

my init_session file has

Code:

$samesite = (defined('COOKIE_SAMESITE')) ? COOKIE_SAMESITE : 'lax';
if (!in_array($samesite, ['lax', 'strict', 'none'])) $samesite = 'lax';


if (PHP_VERSION_ID >= 70300) {
  session_set_cookie_params([
    'lifetime' => 0,
    'path' => $path,
    'domain' => (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''),
    'secure' => $secureFlag,
    'httponly' => true,
    'samesite' => $samesite,
  ]);
} else {
  session_set_cookie_params(0, $path .'; samesite='.$samesite, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, true);
}

and my HTTPD config has the following

Code:

Header set Set-Cookie HttpOnly;Secure;SameSite=None
#Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Header always set X-Frame-Options DENY
TraceEnable Off

Based on my testing (I don't have a mac to test with), Microsoft Edge the original is the only one that worked for me.

I checked version 1.5.7C for any possible changes and there is nothing there that would address this issue of session timeout upon being redirected from payment gateway.

So I decide I am getting lots of heat getting customer charged and not having an order ID. knowing I am running PHP 7.2, I changed init_session.php to this

Code:

if (PHP_VERSION_ID <= 70300) {

and that seems to work. Since I just made the change today, I can't tell in real life application whether it is successful or not.

I welcome feedback on the matter.

[DrByte]

You can probably resolve it with this instead:

Create a file named /includes/extra_configures/samesite_cookie.php containing the following:

Code:

<?php
// -----
// Samesite cookie needs to be 'none' when doing offsite payment gateway redirects
//
define('COOKIE_SAMESITE', 'none');