Symptom:
On the last page of checkout customers may intermittently encounter the "Whoops your session timed out. Please log in." message (or some variation of it).


Fix:
/includes/functions/sessions.php
On 3 lines, add ,- into the pattern, as shown below:
Code:
Line #111 : if (preg_replace('/[a-zA-Z0-9,-]/', '', session_id()) != '')

Line #125 : if (preg_replace('/[a-zA-Z0-9,-]/', '', $tempSessid) != '')

Line #138 : if (preg_replace('/[a-zA-Z0-9,-]/', '', $tempName) == '') return session_name($name);



Affects Zen Cart v1.3.9, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4 on PHP 5.0-and-newer if your PHP configuration has session.hash_bits_per_character set to 6.
The fix is the same for all versions, although the line numbers may be different, and in 1.3.9 some may be missing (and if you're using 1.3.9 you SHOULD be upgrading ASAP).



Credit to gunnzo for debugging this on a Dreamhost server. Thanks!