We're experiencing a strange behavior on several Magento stores with customer sessions, on version 1.9.2.3 and 1.9.2.4 (we do not know if it was the same before).
We have tried on native Magento (with demo data) and on two e-commence (with modules and only one website/store).
Nothing seems related in /var/log.
There is two cookies : frontend and frontend_cid.
But the second is never renewed and break the session after its expiring date (fixed since its creation) even if the customer has browsed while this time : customer become logged out when accessing the first HTTPS page.
frontend is created whatever the visited page.
frontend_cid is created when a HTTPS page is visited.
We are using SSL for frontend : customer account and onepage checkout, with a secure URL and validate certificate.
In Session Validation Settings, everything is set to NO, except the "use_frontend_sid" set to YES. But even set to NO that does not seems to change the actual behaviour.
An example to explain.
You set a lifetime to 86400 (24 hours).
If you go to the website at 08:00, the frontend and frontend_cid cookies are created and will expire the "next day at 08:00".
The first day, if you navigate on the website around 11:00, the expiring date of the frontend cookie is renewed, until the "next day at 11:00".
BUT the frontend_cid is never renewed, expiring date stays "next day at 08:00"
During this time, customers can purchase order without issues. And some customers just leave the website to come back "later".
The next day, if you go to the website at 10:00, you're still logged in and you can browse the site on HTTP pages (and the frontend cookie is newed for the new next day at 10:00. Expected behaviour).
BUT if you go to a HTTPS page (onepage checkout or account), the customer is logged out ! In fact, frontend_cid cookie expiring date was this day at 08:00 and it is passed !
For test purpose, the test can be done with a cookie lifetime set to 60 (seconds), the two cookies are created, frontend one is renewed when browsing, but once 60 seconds is passed (fixed expiring date of frontend_cid cookie) you are disconnected.
We thought about a misconfiguration, but on different servers and Magento e-commerce website we're experiencing the same behavior.
What do you think about that ? Any workaround ? A real misconfiguration ? Bad PHP settings ?
This issue is persistent on different Magento environments.
Has anyone already constated this issue ? Or even found a way to fix it ?
Or nobody has ever heard about it ?
Thanks.
We have the same issue, any news?
The core code seems to have forgotten to include the logic to renew the frontend_cid cookie.
I have contacted Magento support regarding this and they provided me a patch - SUPEE-7136, however I'm not seeing it published online anywhere...
The issue lies in this file:
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
What the patch does is replace this:
if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) { // secure cookie check to prevent MITM attack $secureCookieName = $sessionName . '_cid'; if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY]) && $_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName)) ) { session_regenerate_id(false); $sessionHosts = $this->getSessionHosts(); $currentCookieDomain = $cookie->getDomain(); foreach (array_keys($sessionHosts) as $host) { // Delete cookies with the same name for parent domains if (strpos($currentCookieDomain, $host) > 0) { $cookie->delete($this->getSessionName(), null, $host); } } $_SESSION = array(); } if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) { $checkId = Mage::helper('core')->getRandomString(16); $cookie->set($secureCookieName, $checkId, null, null, null, true); $_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId); } }
with this:
if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) { // secure cookie check to prevent MITM attack $secureCookieName = $sessionName . '_cid'; if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) { if ($_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))) { session_regenerate_id(false); $sessionHosts = $this->getSessionHosts(); $currentCookieDomain = $cookie->getDomain(); foreach (array_keys($sessionHosts) as $host) { // Delete cookies with the same name for parent domains if (strpos($currentCookieDomain, $host) > 0) { $cookie->delete($this->getSessionName(), null, $host); } } $_SESSION = array(); } else { /** * Renew secure cookie expiration time if secure id did not change */ $cookie->renew($secureCookieName, null, null, null, true, null); } } if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) { $checkId = Mage::helper('core')->getRandomString(16); $cookie->set($secureCookieName, $checkId, null, null, null, true); $_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId); } }
We're getting same issue in Magento 1.9.2.3. As you say, this patch it's not published anywhere.
Anyway, I've checked last Magento version (1.9.3.1) code and it doesn't appear yet, so, I guess our problem it's not "completly" related to this "line", did this trick solve your problem? Have you changed any config else?
I wouldn't like to change a core file just like that. It would be great if you can share the patch.
Hello,
Did anyone manage to fix the issue with the cookie?