Same here – A multiform card session was not carried over properly any more and no orders arrived. The form uses GET and SESSIONS.
That started after the update and everything worked again after disabling the plugin.
I had a quick look at the Easy Digital Downloads source code and noticed it had an issue with PHP session. The code is located in the /plugins/easy-digital-downloads/includes/class-edd-session.php file:
/**
* Starts a new session if one hasn't started yet.
*/
public function maybe_start_session() {
if( ! $this->should_start_session() ) {
return;
}
if( ! session_id() && ! headers_sent() ) {
session_start();
}
}
The problems is that it relies on session_id() to check if a session was started on not. But since PHP 5.4, it should call session_status() instead and make sure that the returned value is PHP_SESSION_ACTIVE.
Since last version, NinjaFirewall closes its session using session_write_close(). The session is still accessible, but read-only and because session_id() will return true in that case too, Easy Digital Downloads does not start a session and thus cannot write to the current one.
I recommend to contact the Easy Digital Downloads developers and to warn them about this issue or to show them this discussion. There are several plugins in the repo that make use of the session_write_close() function and they too, will conflict with the shoppoing cart.
In the meantime, I recommend to replace the above code with the following one:
/**
* Starts a new session if one hasn't started yet.
*/
public function maybe_start_session() {
if( ! $this->should_start_session() ) {
return;
}
if ( ! headers_sent() ) {
if ( version_compare(PHP_VERSION, '5.4', '<' ) ) {
if (! session_id() ) {
session_start();
}
} else {
if ( session_status() !== PHP_SESSION_ACTIVE ) {
session_start();
}
}
}
}
Thread Starter
Kerry
(@bluenotes)
Thanks, I opened a ticket over there as well.
Great!
I will likely release a new version today of NinjaFirewall anyway, because I randomly checked several plugins in the repo that make use of PHP session and most of them are only using session_id() to check is a session is active.
I will make a small change that will not conflict with them.
I confirm that session_id() was the problem also in our case.
Thank you very much for the valuable information and the proposal for a fix.
I sent a note to dev team of our plugin to take care of fixing this.
I just released NinjaFirewall 3.6.8 which fixes the issue.
I can confirm that the fix works here – thank you!!!!
Thread Starter
Kerry
(@bluenotes)
Thanks. All good now and I’ll let Pippin know.
I’ve pushed a fix in EDD for the 3.0 release.
We can back-port this to the 2.9 branch easily enough if need be.
