payer auth verifier causes session timeout error

[terraGirl]

Watching this thread, I'm seeing the same error messages in my log since upgrading to 1.5.7 yesterday. No customer complaints yet, but it's only been live for a few hours.

Code:

[15-Sep-2020 07:46:06 UTC] Request URI: /index.php?main_page=payer_auth_verifier, IP address: XXX
#1  session_id() called at [/home/USER/public_html/includes/modules/pages/payer_auth_verifier/header_php.php:55]
#2  require(/home/USER/public_html/includes/modules/pages/payer_auth_verifier/header_php.php) called at [/home/USER/public_html/index.php:35]
--> PHP Warning: session_id(): Cannot change session id when session is active in /home/USER/public_html/includes/modules/pages/payer_auth_verifier/header_php.php on line 55.

with kind regards, Edith Allison

[Calljj]

so my issue is the same but different.
2 different sites on php7, version 1.5.6
2 different direct payment gateways used for card payments
if the 3d secure iframe pages are presented then after correct details have been entered, goes straight to the "whoops your session has expired" page with the option to logon again.
no payment is taken, no order is produced. and in most cases customer is lost.
Applying the updates by Dr Byte ealier in this thread to the two init_sessions.php files actually apears to make it worse for our examples as it bails out at the point of the 3d secure page opening.
Definately seems to be chrome browser triggering this issue the most at the moment.

[Calljj]

managed to get payments to work on chrome by changing the init_sessions.php file, as found seems to be a gap between php 5.6 ish to 7.3.
quick workaround for me was to change dr bytes file to :

Code:

 $httponly = true; // prevent JavaScript access to session cookie
    $samesite = 'none';

 if(PHP_VERSION_ID < 70300) {
        session_set_cookie_params(0, $path,'; samesite='.$samesite, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, $httponly);
    } else {
        session_set_cookie_params([
            'lifetime' => 0,
            'path' => $path,
    'domain' => (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''),
    'secure' => $secureFlag,
    'httponly' => true,
    'samesite' => $samesite,
        ]);
    }

[DigitalShadow]

if the 3d secure iframe pages are presented then after correct details have been entered, goes straight to the "whoops your session has expired" page with the option to logon again.
no payment is taken, no order is produced. and in most cases customer is lost.

That was my original problem.

Even with the changes made to init_sessions the problem would still sometimes appear.

I also made a change to includes/functions/sessions.php

I increased this value from

Code:

@ini_set('session.gc_divisor', 2);

to

Code:

@ini_set('session.gc_divisor', 100);

That appears to have helped as well, I have had 0 problems since making that change.

[terraGirl]

This is now a major issue

Upgraded to Zen Cart 1.5.7 and PHP 7.3 two days ago. No problems before with PayPal, now issues with clients being unable to pay.

Location: UK
Payment modules: PayPal Express & PayPal Website Standard
Error appears to be at 3D secure page

Customer #1 (Chrome browser)

Hi there, I'm struggling placing an order. I though I had placed it a couple of days ago, so logged in to check it was on its way but I can't see the order in my history and when I logged in the items were still in my basket. So, I placed the order again, but during checkout just after it goes off to verify the bank payment the screens says "Processing your order, please wait....... Then under that We are sorry but your login session has expired...... So I tried to place again (3 times) but the same each time.

Customer #2 (unknown browser)

Thanks for this, but as I have tried 4 times to order this product and been timed out twice at the payment stage, I think I will be purchasing what I need from someone with a working website!!

The fix suggested by DrByte to apply the code from ZC1.5.8 to init_sessions.php did not help.

The shop before was running on Zen Cart 1.5.5a with PHP 5.6 and no issues at all. Problems started after upgrade to Zen Cart 1.5.7 & PHP 7.3.

[terraGirl]

I can replicate this error with the following:

Location: UK
Website Payment Pro
Card details are entered on checkout page
continues to 3D Secure
message appears that my bank has approved 3D Secure
Then instead of continuing, error appears, see screenshot.
order has failed, no payment, no order in admin

The fix suggested by DigitalShadow to amend @ini_set('session.gc_divisor', 100); did not work for me.

So current status = nobody in the UK can pay by card
Paying by PayPal account when logged into PP works.

The error message is displayed within the iframe

Code:

<iframe name="auth_frame" id="authFrame" class="authFrame" src="https://www.SITE/index.php?main_page=payer_auth_auth" frameborder="0" width="500" height="500" scrolling="no" style="align: center;"></iframe>

[lat9]

@terraGirl, have you applied the samesite-cookie patch? When a payment method includes an iframe, you'll need to override the base (in init_sessions.php) setting from lax to none.

[terraGirl]

@terraGirl, have you applied the samesite-cookie patch? When a payment method includes an iframe, you'll need to override the base (in init_sessions.php) setting from lax to none.

Thank you for your reply! Do you mean the change suggested by DrByte here https://github.com/zencart/zencart/pull/3802/files? I've applied these changes, but it does not fix the error for me. I can also confirm that the site is running on HTTPS and the config file has HTTPS for both server settings.

And just to confirm the error, is with "PayPal Website Payments Pro (UK)", I've now had to disable this module to stop further customer frustration until a fix is available.

[terraGirl]

Payment modules: PayPal Express & PayPal Website Standard

Apologies for incorrect information. The error occurs (at least with my tests) only with "PayPal Website Payments Pro (UK)". The PayPal Express is working fine; and PayPal Website Standard is disabled (would conflict with Express).

[lat9]

Thank you for your reply! Do you mean the change suggested by DrByte here https://github.com/zencart/zencart/pull/3802/files? I've applied these changes, but it does not fix the error for me. I can also confirm that the site is running on HTTPS and the config file has HTTPS for both server settings.

And just to confirm the error, is with "PayPal Website Payments Pro (UK)", I've now had to disable this module to stop further customer frustration until a fix is available.

Create a file named /includes/extra_configures/samesite_cookie.php containing

Code:

<?php
// -----
// Samesite cookie needs to be none since the payment method uses iframes.
//
define('COOKIE_SAMESITE', 'none');