0

When I add something to the cart, the session can be seen immediately afterwards. Once I am redirected to the cart view. The session is gone.

The stranger thing though, if I add something to the cart again, it updates the correct quantity... so obviously its still there.

I do not understand.

I am using CakePHP 1.3. I have a controller called CartsController with 2 views add and index. The add view expects a parameter of the id to add to cart. So when you go to carts/add/1 it adds product id 1 to the cart ($_SESSION) and then redirects you to the index view (/carts).

If you view the SESSION immediately after its added in the add() function before redirecting to the index view, it has the proper values in it. By the time you reach the index view, the session is empty again (well it has the default Cake Config value but nothing I added).

This would lead you to believe that somewhere in between when it gets added and after it gets redirected the session is being destroyed. But this is not true because if you added the item to the cart again, and view it directly afterwards again, it will show a higher quantity (2 now instead of 1, then 3 then 4 and so forth.) Yet if you view the session somewhere else, its not there.

Does anyone have any idea at all what could be happening here?

Update

I wanted to add, it DOES work as intended the first time you add something to the cart in your browser, but if you leave the site (via external link) with something in your cart and come back, there is nothing in your cart, and nothing can be added again -- thats when the problems outlined above start. This is happening in Chrome, FF, IE.

Update2

If you want to see for yourself, steps to reproduce

  1. Go to http://216.119.150.158/john/products/1/simon-g-ring
  2. Click add to cart
  3. Click the Google Checkout button
  4. Click the Edit order link to return the previous page (not back button)

Your cart is now empty and you can't add anything to cart again

Community
  • 1
  • 1
JD Isaacks
  • 56,088
  • 93
  • 276
  • 422
  • Is the server a single instance? Could it be that the session contents is divided between different machines? – wallyk May 04 '11 at 14:22
  • @wallyk ...Hmm, I am using a VPS.net cloud hosted machine. I do not know if they use multiple machines or not, I think its just virtualized, that kind of stuff is over my head tho. – JD Isaacks May 04 '11 at 14:25
  • What's the Security.level in your app/config/core.php? – dhofstet May 04 '11 at 15:29
  • In this case it's not an issue with the Security.level set to high... – dhofstet May 04 '11 at 15:43

2 Answers2

2

The first time you create a cookie for the HTTP connection, when you come back there is a second cookie for the HTTPS connection, which is only sent back to HTTPS connections. If you would access the page with the same protocoll (both time HTTP or both time HTTPS), you should see your shopping cart.

Passing your session-cookie one time unsecure and one time secure can lead to security problems. I wrote an article about switching between HTTP and HTTPS protocoll:

Switching between HTTP and HTTPS pages with secure session-cookie

but maybe it's easier to connect always with a secure HTTPS connection.

Community
  • 1
  • 1
martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • Well I have confirmed, switching from http to https is whats causing the session to disappear/reappear. I definitely do not want to make every page have to use https. I have switched back and forth on past projects with no session problems before. It seems if I make the cart index page http and only the rest of the checkout process after that step use https it solves it for now. Who knows when it will come back to bite me though. – JD Isaacks May 04 '11 at 15:44
  • As long as Google is not using your session, and you are not using Googles session, i cannot see a problem. BTW your site looks good. – martinstoeckli May 04 '11 at 15:58
  • Thanks, it also seems if I leave everything else as it was but set security level to low it fixes the issue as well. This way I can leave the cart page as secure too. The reason being when you move from medium to low it disables session.referer_check [source](http://stackoverflow.com/questions/1954270/what-are-the-implications-of-using-low-security-in-cakephp) – JD Isaacks May 04 '11 at 16:54
  • Hmm, i don't know the cakephp framework, but before it created a second cookie for HTTPS only, what makes sense for a secure connection. Now the session cookie can be used for all connections (unsecure too), therefore the cookie is sent unencrypted and can be intercepted. That makes the encryption of your page unsafe, you could as well use an unencrypted page. – martinstoeckli May 04 '11 at 17:17
  • Hmm.. Not really sure what to do. I want the site to be secure obviously, but the cart/index page has user information on it like billing/shipping address so I would like it to be over https as well. It seems like in order to allow the site to function as currently designed and be secure I have to make the entire site https. Thats not ideal either, a lot of people here have bad connotations with that such as poorer SEO and slower loading. – JD Isaacks May 04 '11 at 18:04
  • The shipping address should indeed be sent over a HTTPS connection. You can either encrypt your whole site, or you can use a second cookie as i'm proposing in the linked article. Maybe you want to read the original article on my homepage, if you have difficulties with the implementation i will gladly help you. – martinstoeckli May 04 '11 at 19:12
  • Thanks, I'll give your article a read. Hopefully I will be able to translate it into CakePHP. (Am still pretty new to the Cake Framework) – JD Isaacks May 04 '11 at 19:14
0

Chances are that you need to call session_start() (or whatever the CakePHP wrapper function is) on your cart page.

Brian Driscoll
  • 19,373
  • 3
  • 46
  • 65