[ic] Lost cart on checkout to SSL server - new session ID created?

Terese Elbring interchange-users@interchange.redhat.com
Fri Aug 24 12:29:01 2001 

>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 8/23/01, 6:52:36 PM, Mike Heins <mheins@redhat.com> wrote regarding Re: 
[ic] Lost cart on checkout to SSL server - new session ID created?:

----------  MESSAGE SNIP -------
>>Long story short, I commented out line 1895 (init_session();) in  
bin/interchange and everything seems to be working properly now.

> I think you fixed something, not broke it.

Well that's good to hear!!!

---------  MESSAGE SNIP --------

> I think we should do an analysis of diffferent scenarios to try
> and fully characterize where sessions are lost and not lost. We may
> not be able to fix the worst scenario, which is:

>       1. No cookies enabled.
>       2. Differing secure and non-secure server domains.
>       3. Differing IP addresses on client for HTTP and HTTPS.
>       4. WideOpen not set.

> but we should be able to characterize what goes wrong where.

> If I ever get enough time to do this, I will. But someone who
> is interested in having differing secure/non-secure domains would
> be more motivated than me. 8-)

<G>  Well, here are 2 scenarios that work for me with the change to 
bin/interchange mentioned above:

Scenario 1:
   Different secure/non-secure domains
   Cookies enabled
   CookieDomain secure.domain.com .insecuredomain.com
   all other variables are undef/default values

Scenario 2:
   Different secure/non-secure domains
   Cookies DISabled
   all other variables are undef/default values
   added to the login form of the checkout template:
   <input type=hidden name=mv_session_id value="[data session id]">
   **new session was assigned if you tried to login from the checkout 
page without the above change

Unfortunately I have not been able to test for differing IP addresses on 
client for HTTP and HTTPS and the store is not live yet, so no customer 
complaints...  if anyone is interested in trying to test this before I go 
live, they can email me directly at atlantis@belowsealevel.org.

Additionally, previous to the change to bin/interchange, a new session 
was always assigned upon entry to the SSL server. If you entered the 
store via the SSL server FIRST you didn't lose your cart if you had 
cookies enabled.

Additional additional, I have my icdebug info if anyone is interested in 
that.  I think that is it!

Terese