[user error] Cannot login from link when recreate session is set to true

[MAC13]

Hello.

When customer is not logged on and clicks on the link provided in email - e.g. link to order details - he is asked to login to the shop. In case you have turned on the option to recreate the session id on login the client cannot logon and without any error message is asked again to login.

I've checked the server logs on this and found that after processing the logon information customer's browser is redirected to the order details page when again is checked if he is logged in and once again redirected to login page.

I have seen this problem described here before but the only solution I've found was to turn off the option to recreate the session id. If I missed something please share a link.

I think the problem is in the zen_session_recreate function. The code of this function is somehow mystic to me and looks like someone was doing some changes in here and never finished them .

We are currently using the 1.3.7 version of ZC on PHP 4.4.1.

Regards
Maurice

[MAC13]

As an addition here is the comparison of zen_recreate_session function code in different ZC vesrions.

v1.2.2 - short and simple?:

Code:

  function zen_session_recreate() {
    if (PHP_VERSION >= 4.1) {
      $session_backup = $_SESSION;

      unset($_COOKIE[zen_session_name()]);

      zen_session_destroy();

      if (STORE_SESSIONS == 'db') {
        session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
      }

      zen_session_start();

      $_SESSION = $session_backup;
      unset($session_backup);
    }
  }

v1.3.8a - removed the remed code out:

Code:

  function zen_session_recreate() {
    global $http_domain, $https_domain, $current_domain;
      if ($http_domain == $https_domain) {
      $saveSession = $_SESSION;
      $oldSessID = session_id();
      session_regenerate_id();
      $newSessID = session_id();
      session_id($oldSessID);
      session_id($newSessID);
      if (STORE_SESSIONS == 'db') {
        session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
      }
      session_start();
      $_SESSION = $saveSession;
      if (IS_ADMIN_FLAG !== true) {
        whos_online_session_recreate($oldSessID, $newSessID);
      }
    }
  }

Also there was a proposition from CJPinder to modify the code into - even simplier:

Code:

  function zen_session_recreate() {
    global $http_domain, $https_domain, $current_domain;
      if ($http_domain == $https_domain) {
      $oldSessID = session_id();
      session_regenerate_id();
      $newSessID = session_id();
      whos_online_session_recreate($oldSessID, $newSessID);
    }
  }

I am gonna test the CJPinder solution probably in next 24 hours.

Maurice

[DrByte]

Who are you hosted with?

[MAC13]

We are using hosting service from a small company (Poland) mostly because we have very good relations with them (we can ask almost anything to be done).

Our shop is on server configured with other virtual hosts.

We also using SSL certificate for our shop, but it's not shared certificate.

I really think it's the code problem. We were using previously version 1.2.2 of ZC and we didn't had such problems. After upgrade when client said that they cannot logon we were asking them what the error message says and when they said that there is none we were confused. Then one of our workers clicked on link in email of some old test order to view its details and could not logon.

I found here also another similar thread saying that in the code that creates the link and redirects them a session id is attached with probably the old value.

Ah... one more: we are using the Ultimate SEO URLs, probably in version 2.105.

Maurice

[DrByte]

I found here also another similar thread saying that in the code that creates the link and redirects them a session id is attached with probably the old value.

Ah... one more: we are using the Ultimate SEO URLs, probably in version 2.105.

And ... did you try turning OFF the Ultimate SEO mod and testing?

[MAC13]

OK, it took some time but we have made some tests. We turned off some modules, including Ultimate SEO and the conclusion is...

1. Turning OFF the Ultimate SEO module helped, and recreate session worked properly.
2. We turned it back ON and made some more testing and it looks like the problem is only on IE (6.0) not on Firefox (2.x and 3 RC1). On FF it works properly...

We will make some more test, mostly to make sure that we are able to replicate the situation on other computers with different configurations and different browsers, but maybe, just maybe it's another IE bug...

When we will have more info I will give a note here.

BTW: After using the CJPinder code for session recreate function everything works correctly both on IE and FF with SEO turned ON. Interesting...

Regards
Maurice

[realforever]

Hello Maurice,

Are you using CJPinder code on 1.3.7 or 1.3.8 a?

I'm using 1.3.8 a and followed the instruction and still couldn't login. I don't even have the ultimate seourl installed.


Thanks.

[gid]

I have had the same issue for some time now. As long as a user clicks any other link on our site first they can log in.

I am using the Ultimate SEO mod on 1.3.5 as well as recreate session. I'm going to check out the CJPinder code.

[gid]

Well I tried out that code and I was still not able to login. I wonder if it would just be better for me to hide the login button until after the session is created?

[gj91]

I am having this same login issue but I have a new zencart install so the changes are there. when I disable recreate session the login works correctly.

I do have seo url installed. I have a valid dedicated cert. When I disable ssl, loging works fine too.

Any help would be great. I would like to turn on recreate session but I'm not sure what that really means.

zencart is 1.3.8a
php is 5.2.5