This is not a zencart bug, it is a hosting with Cpanel (and proabably WHM) issue.

Suhosin alters sessions transparently. This is not a Zencart bug, it can cause the failure of external payment gateways that need to establish contact with zencart such as linkpoint API. It has also been blamed for distorting the "Who's online" feature

ZenCart with the PHP hardening module Suhosin, unless the module is disabled Zencart behaves as if the following session functions are set.

Check SSL Session ID True
Check User Agent True
Check IP Address True

Diagnosis

The installation of suhosin can (sometimes) be checked by a phpinfo() page.

In the sessions Table in the zencart cart database, sessions appear encrypted rather like a base64_encoded variable.

examples

a normal session in the database (truncated):

Code:
securityToken|s:32:"8860ef8eae36f1bdd97a3f548fbad59a";customers_host_address|s:12:"92.22.17.169";
a suhosin session(truncated)

Code:
c2VjdXJpdHlUb2tlbnxzOjMyOiI4ODYwZWY4ZWFlMzZmMWJkZDk3YTNmNTQ4ZmJhZDU5YSI7Y3VzdG9tZXJzX2hvc3RfYWRkcmVzc3xzOjEyOiI5Mi4yMi4xNy4xNjkiOw==


Workaround, To disable Suhosin.


If Server API in phpinfo() reveals that php is running as "CGI".

Placed in the store's document root, a file php.ini

Code:
suhosin.session.encrypt = Off
and then the following lines added to .htaccess

Code:
<files php.ini>
Deny from all
</files>
If Server API in phpinfo() reveals that php is running as "Apache 2.0 Handler"

add the following lines to a .htaccess file in the store's document root.

Code:
php_value suhosin.session.encrypt Off