BUG: Cart empties during checkout [FIXED] - cscart 2.0 up to 2.0.12

Okay.



I know some of you have problems with cart emptying during checkout. I have confirm the bug. Affects Google Chrome and probably a number of browsers.





BUG



It’s a cookie issue. Cookie set to a subdomain can’t be access by another subdomain within the same domain name.



For example:



www.domain.com

secure.domain.com



Each above has its own session ID.





FIX



modify



file: core/class.session.php





change:



```php static function set_params()

{

$host = defined(‘HTTPS’) ? Registry::get(‘config.https_host’) : Registry::get(‘config.http_host’);



if (strpos($host, ‘.’) !== false) {

// Check if host has www prefix and remove it

$host = strpos($host, ‘www.’) === 0 ? substr($host, 3) : ‘.’ . $host;

} else {

// For local hosts set this to empty value

$host = ‘’;

}



ini_set(‘session.cookie_lifetime’, SESSIONS_STORAGE_ALIVE_TIME);

ini_set(‘session.cookie_domain’, $host);

ini_set(‘session.cookie_path’, Registry::get(‘config.current_path’));

ini_set(‘session.gc_divisor’, 10); // probability is 10% that garbage collector starts

}

```



To:



```php static function set_params()

{

$host = defined(‘HTTPS’) ? Registry::get(‘config.https_host’) : Registry::get(‘config.http_host’);



if ((strpos($host, ‘.’) !== false) && (!preg_match(‘/\b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b/’,$host))) {

// Check if host has www prefix and remove it

$host = preg_replace(‘/^[^.].([^.]).(.*)$/’, ‘\1.\2’,$host);

} else {

// For local hosts set this to empty value

$host = ‘’;

}



ini_set(‘session.cookie_lifetime’, SESSIONS_STORAGE_ALIVE_TIME);

ini_set(‘session.cookie_domain’, $host);

ini_set(‘session.cookie_path’, Registry::get(‘config.current_path’));

ini_set(‘session.gc_divisor’, 10); // probability is 10% that garbage collector starts

} ```





What does the modification do?



Basically 2 things.


  1. Before, it only strips out the subdomain ‘www’ from the $host, so something like ‘secure.domain.com’ does not get the suddomain ‘secure’ stripped out. Only ‘www.domain.com’ gets stripped to ‘.domain.com’.



    After the modification, any subdomain gets stripped out to ‘.domain.com’




  2. Ignores $host that is a CNAME such as “localhost” or set to an IP Address such as “127.0.0.1” . You don’t want to strip ‘127.0.0.1’ to ‘.0.0.1’. I often use IP Addresses for testing on a local server.

One more thing.



Be sure to remove your cookies after making the modification for it to take effect.



You still have 2 sets of cookies, one of each subdomain.

Thanks for sharing your fix. Much appreciated.