Fixing Magento Session IDs

Fix for Passing Magento Session IDs

We often use shared SSL’s when building e-commerce sites. It’s a convenient way of hosting multiple stores without having to purchase separate SSL certificates for each site. Most of our e-commerce clients manage multiple stores within a single Magento or OpenCart installation. Recently, we found a problem with Magento where the customer’s session ID was not being passed successfully between their initial visit to the site and their page views after logging into the store as a registered customer. Magento was not passing the same session IDs, and this meant that a customer who had previously logged in and added items to their cart, would lose the contents of their cart after returning later and logging in. Not a great situation.

In looking at the cookies created during a session, I found that when going from an unsecure domain (i.e., http://) to a secure domain (i.e., https://), the session ID was being passed successfully and a new cookie for the secure domain was created with the same session ID as the unsecure domain. However, when the customer logged in, a new cookie was created for the secure domain with an entirely new session ID. Magento was now using the newer cookie, and whenever the customer clicked to go back into an unsecure domain page (e.g. product detail page), they were no longer logged into Magento as the unsecure domain was using its cookie/session ID, not the new session ID created at login. The solution would be to find where the new session ID was being created and prevent that from occurring.

So, I began digging into the code to see if I could find where Magento was creating the new session.

In app/code/core/Mage/Customer/Model/session.php, I found this at lines 177-189 (Magento CE 1.5.1):

public function login($username, $password)
	/** @var $customer Mage_Customer_Model_Customer */
	$customer = Mage::getModel('customer/customer')

	if ($customer->authenticate($username, $password)) {
		return true;
	return false;

My solution was to comment out the line: $this->renewSession():, so that Magento would not create a new session when the customer logged in. The changed code looks like this:

public function login($username, $password)
	/** @var $customer Mage_Customer_Model_Customer */
	$customer = Mage::getModel('customer/customer')

	if ($customer->authenticate($username, $password)) {
		return true;
	return false;

So far in our testing, everything is working just fine, and the customer’s session is being retained between domains. Now, before you rush to change this core file, do the following:

  1. Backup your databases (you should always do this before making any modifications).
  2. Build the following directory hierarchy: app/code/local/Mage/Customer/Model/.
  3. Put a copy of session.php into this new directory.
  4. Comment out the appropriate line, shown above, and save your file.

By putting your modifications into the app/code/local directory, you’re telling Magento to use these files instead of the core files. More importantly, you’re preventing the loss of your modifications should you update Magento in the future.

It also provides a convenient way to store and manage your code modifications, as you only need to keep modified files in the app/code/local directory.

Be sure to leave a comment if you know of a more elegant solution, or if you find this works or doesn’t work for you.


17 Responses to “Fix for Passing Magento Session IDs”

  1. Harris November 23, 2011 at 1:03 am #

    I found the issue weird, as my website, i have setup multiple store with same SSL, some of my customer face problem to login but some OK. why this issue only effect some but not all the user?

  2. Jan November 30, 2011 at 5:09 am #

    On my website it is possible to add products to the cart from outside the magento store. In general it worked fine, but everytime a user logged into the store, the products were not placed into the cart anymore. If the user logged out again, the cart is properly filled with the products.
    Your fix was the solution for that problem – it seems that the “outside” magento code did not recognize the renewed session id and did add the products to the outdated not-logged-in-user session.
    Thank you for that solution! :-)

  3. BigBridge July 3, 2012 at 12:57 pm #

    Hi Bret,

    Thanks for this fix!! Helped me out with this problem :)

    Regards from The Netherlands

  4. Sidney October 24, 2012 at 3:31 pm #


  5. Adrian November 28, 2013 at 8:33 am #

    It works perfectly! Thank you

  6. Nattapong December 14, 2013 at 5:49 am #

    I just upgraded magento to 1.8.1 the problems about customer login appear.
    I put the right e-mail and password but can’t login to customer account. No error message. It just redirect to the same page.
    I try this solution but for me It doesn’t work. Any suggestion to fix this problem?

    • nwadmin December 14, 2013 at 6:48 am #

      I suspect the upgrade to 1.8.1 rendered this fix irrelevant. We haven’t tested 1.8.1 yet, but one of the fixes in the change log is “Resolved a session fixation issue when registering a user with the web store.” This suggests that 1.8.1 may handle sessions differently with customer logins.

      You should probably not install this fix on 1.8.1 on a live server.

  7. Mage Fast (@magefast) December 25, 2013 at 9:30 am #


    Saved my time!!!

  8. Niels December 30, 2013 at 4:27 am #

    Have you heard of an issue in 1.8 (or EE 1.13) where multiple orders are placed under 1 same customer ID? We experience this issue in 1.13.02.

    • nwadmin December 30, 2013 at 5:05 am #

      No, actually not so far. We have several clients running CE 1.8 and no one has reported that particular issue yet.

      Do you have any checkout or order management extensions installed or modifications relating to orders?

      • Niels December 30, 2013 at 5:07 am #

        We run OneStepCheckout in this installation

        • nwadmin December 30, 2013 at 5:12 am #

          Have you tried 1.8 without this extension to see if the issue persists? I can’t tell from their website how current their latest version is. It may be that it’s not handling session ids in 1.8 properly. The best test would be to uninstall their extension and see if you have the same issue.

  9. andre January 25, 2014 at 9:27 pm #

    Regenerating the session id is a security feature. Your solution is akin to defeating a microwaves interlocks in order to let it function with the door open

    • Bret Williams January 26, 2014 at 8:21 pm #

      Interesting. Could you be more specific in terms of how this compromises security? If it does, I certainly want to correct this.

      If so, what would your recommendation be to solve this problem?

  10. shabeersshabeer June 8, 2014 at 2:59 am #

    You saved my life…Thanks a lot..this solution fixed my problem…

  11. prathap July 3, 2014 at 4:25 am #

    thank you sir thank you very much really it was helpful to me

  12. prathap July 3, 2014 at 4:27 am #

    Thank you sir really it was helpful to me

Leave a Reply

%d bloggers like this: