1.5.7a Session timeouts missing file?

**websmith** · 7 Nov 2020, 08:57 PM

A week or so back, to help fix a session timeout issue a /includes/extra_configs/samesite_cookie.php file was created. When I did the upgrade to 1.5.7a this file was not included so I removed it from the site.

I am running Zen-Cart 1.5.7a (just upgraded from 1.5.7) on an Ubuntu 18.04 Linux server with 7.4.12 php and MySQL 5.7.32-0ubuntu0.18.04.1 Plugins Abandon Carts, Site Map and Google Feed. No debug logs generated.

Credit Card payments use the Epath module (the current one now in the download area dated 7/3/20)

Error can be duplicated on test site: www.alt.shirtcrazy.com with the file present and Chrome failing. If it needs removed let me know and I will pull it so you can test the other set of circumstances. I do not have a second site upgraded yet to make both available.

With this file removed to match the file list of 1.5.7a you get Whoops Session Timeouts when using a credit card. I made multiple tests on IE, Fire Fox and Chrome all fail, also the Chrome sign-in will not allow you to log in and try again.

With the file present, IE and Firefox work and I got no errors in testing.

Chrome gives a Whoops timeout message every time you try to sign in. I tried from the whoops screen and using the login button and if you try to order an item you get the Whoops screen as soon as you click Add to Cart. Then I tried on a completely different machine and it also gave the whoops screen as soon as I tried to log in.

I do not know if code was changed elsewhere that led to the deletion on the samesite_cookie file or if it was accidentally left out but causes a failure on chrome when installed. Either way neither configuration works 100%

Any help in resolving this would be much appreciated.

**DrByte** · 7 Nov 2020, 10:00 PM

If you created the file to override the default then yes you'll need to keep that file in place for as long as you use the external service that requires you to have the override in place.

**websmith** · 7 Nov 2020, 10:55 PM

No I am sorry I guess I did not make myself clear enough.

I am running a straight 1.5.7a no overrides/mods and I use epath for credit cards.

When I was trying to solve problems with session timeouts I followed this information Re: ePath Payment received but no orders at this link https://www.zen-cart.com/showthread....-but-no-orders
It modifies 2 files https://github.com/zencart/zencart/pull/3972/files and suggests the samesite_cookie.php but I could never get the patch to work so I pulled it. Then the 1.5.7a came out and one of the items in What's New was "Set Samesite cookie Parameter so I was hoping this would solve the problem.

When I upgraded to 1.5.7a I found the problem I reported using epath. I remembered this comment on the post above "It's also possible that 'lax' mode may still be too restrictive, and thus you may need to override it to 'none' using this: Create a file named /includes/extra_configures/samesite_cookie.php containing. Since the change to 1.5.7a for the Same Site cookie was not working I tried adding the file to see if there was any change and got the results I reported.

The problem is that customers paying with credit cards on sites using epath cannot complete there payments. With straight 1.5.7a IE, Fire Fox and Chrome all fail with session timeouts, also the Chrome sign-in will not allow you to log in and try again.

The file was just a thought to see if maybe it would solve the problem and it does for IE and FireFox, but it will not work with Chrome it is not something I have added to my sites, none of the other code changes in that post were made, I am using the 1.5.7a pages from the download.

**DrByte** · 8 Nov 2020, 04:59 PM

My point was: if your payment module (epath in this case) requires sessions to be passed back and forth (as epath does), then the extra_definitions file you created in order to override Zen Cart's default of 'lax' to use 'none' instead, will still be necessary, because of your payment module's needs. If you eventually switch to a different module that doesn't redirect away from your site for payment and then back again, then you can probably remove that 'none' override.

**websmith** · 8 Nov 2020, 06:24 PM

Thank you very much for the clarification I understand better. The service Epath provides fits our needs much better than most other options so I would prefer to not change it.

That still leaves the problem that chrome does not work with the file present and chrome is on many cell phones and has the highest usage according to the stats.

So presently if I go to 1.5.7a and use the file IE and Firefox will work but chrome will not, without the file IE and Firefox are broken but chrome works. Sorry this was unclear in the original post.

So basically it forces choosing which browsers will work.

Do you have any suggestions to resolve that problem?

**robertluer** · 22 Dec 2020, 03:49 PM

I am in the process of upgrading to zc1.5.7b with PHP7.4 and although the init_sessions.php file has been updated from zc1.5.7a onwards I still needed to use the samesite_cookie.php file in includes/extradatafiles to get epath to work in all browsers.