fixed Cart is emptied during checkout - only with Firefox

[Hokuto ShinKen]

Hi all,

I have a problem that started more or less recently with my shop www.staring.es
Customers using Firefox based browsers on all OS platforms (Firefox stable, nightly, Tor browser, OSX, Windows, Linux) cannot buy.
If they add a product to the cart, and start the checkout process, at some point, the cart will turn empty.
It does not happens with other browsers like Chrome, Edge or Safari.

Video is attached in order to better see what is going on.

Another very very strange thing: few days ago I duplicated the website to dev.staring.es ...
and there the problem doesn't occur at all ... 🥲

Any help, clue is welcome (I tried to find on internet similar issues but had no luck).

PS version 1.7.8.11
PHP 7.4.33 on uptodate server

[Nickz]

1 hour ago, Hokuto ShinKen said:

I have a problem that started more or less recently with my shop www.staring.es
Customers using Firefox based browsers on all OS platforms (Firefox stable, nightly, Tor browser, OSX, Windows, Linux) cannot buy.

Did you do something?

Any module update, php version, theme change?

[Hokuto ShinKen]

The thing is that I did more or less in the timeframe PHP minor update I guess, some OS updates or so, no theme update no major module update.

And let pay attention to the thing that on my development platform I have not this problem (dev.staring.es and www.staring.es are purely exactly setup the same beside the domain name).

Thanks

[Nickz]

Those minor updates etc.  where done on both platforms?

[Hokuto ShinKen]

28 minutes ago, Nickz said:

Those minor updates etc.  where done on both platforms?

Yes, on both.

What I did was taking the PROD platform from a state X, duplicated the server (cloning), imported DB files from server PROD to DEV, and the same for public_html files.
Used the sed command to substitute all instances of www.staring.es by dev.staring.es from DB dump file and public_html files. Imported the DB dump file to the DEV DB.

Then dev.staring.es was up and running and I was able to simulate purchase without facing cart being emptied as I face I PROD server.
PROD and DEV are exactly the same from OS versions, packages rpm, up to Prestashop version and module versions.

But just in case when I have a moment in a couple of hours I will replicate again the server´s cloning to a dev2.staring.es just to be sure.
But I am 99,9999% confident PROD and DEV are the same except the domain name.

Thanks

 

[Andrei H]

Hello,

This might be related to the SameSite cookie attribute.

In order to rule my theory out, can you try and do the following: Go to Admin -> Advanced Parameters -> Administration and in the General section, set Cookie SameSite to None (also, remember the current value - might be Lax). Save and clear the cache then try the payment flow in Firefox again.

Please do these steps in the testing website first, just to make sure it doesn't break anything.

Once you are done testing, please change that value back to the initial one.

[Hokuto ShinKen]

14 minutes ago, Andrei H said:

Hello,

This might be related to the SameSite cookie attribute.

In order to rule my theory out, can you try and do the following: Go to Admin -> Advanced Parameters -> Administration and in the General section, set Cookie SameSite to None (also, remember the current value - might be Lax). Save and clear the cache then try the payment flow in Firefox again.

Please do these steps in the testing website first, just to make sure it doesn't break anything.

Once you are done testing, please change that value back to the initial one.

Hi all and @Andrei H,

So I did what. you recommended, and it WORKED !!!
Still I do not know why in DEV it works while the the cookies are setup in Lax.
So so far, in PROD, cookies are in None. I imagine that I should leave it like this. Not sure if there are some secuirty implication (I am reading now about this).

It is completely crazy still.

Thanks @Andrei H and everyone, for having paied attention to my none obvious problem.

 

[Andrei H]

Hello,

The SameSite attribute does add a layer of security to your website that will protect against CSRF attacks.

I would actually recommend trying to find out the actual cause of this issue then try to see if it's possible to fix it.

[Hokuto ShinKen]

8 minutes ago, Andrei H said:

Hello,

The SameSite attribute does add a layer of security to your website that will protect against CSRF attacks.

I would actually recommend trying to find out the actual cause of this issue then try to see if it's possible to fix it.

Hi @Andrei H and all,

Yes I understand then. Thanks for your support and explainations. And yes, troubleshooting where the issue comes from is the next step
since I do not want to lower security.

Thanks a lot!

 

 

[Andrei H]

Hello,

Just a tip that might be helpful here. You should try and see if there is any module that tries to open your website in an iframe during this checkout process, as that could be the reason behind that issue.

[Hokuto ShinKen]

27 minutes ago, Andrei H said:

Hello,

Just a tip that might be helpful here. You should try and see if there is any module that tries to open your website in an iframe during this checkout process, as that could be the reason behind that issue.

Okidoki thanks!

[Hokuto ShinKen]

1 hour ago, Hokuto ShinKen said:

Okidoki thanks!

Hi @Andrei H and all,

No iframe spotted so far.
But I thing I remember I did more or less recently have that setup the website to enforce HTTP Strict Transport Security (HSTS).
This is the only thing I remember which is cookie related that I changed and that might had some impact. But still it is difficult to think this caused the problem I faced with cookie Lax/none in PROD while in DEV, no issue at all.

Thanks again @Andrei H

[Hokuto ShinKen]

Hi @Andrei H and everyone,

So far thanks to Andrei a workaround has been found (set SameSite to none).
The underlying problem has not been spotted. And I was wondering if whether I should switch the ticket to "SOLVED" or not.

Thanks

[Hokuto ShinKen]

Well, News here ...
Just in case I switched back the Lax for Prestashop cookie as curiosity. And magically, after testing I saw that the checkout process was working fine ...
(this is a postergeist case for sure).

So we might not know what was the underlying problem, but still I will close this as "fixed", even if I do not like the fact that I do not know what was the problem.

Thanks to all for your contribution and support.

@Andrei H , @Nickz

PS: I am trying to find the way to label in the title of the ticket the work "FIXED" or "SOLVED" , or a way to mark this as closed but I cannot find,
please could someone help?