Cubecart 6.1.12 $GLOBAL('session') is emply in order overview.

[son caocao]

Hi experts,

In order overview,  I inject a form that doing refund for an order and the handler function is also call to admin class for authorization.

But the authorization is always failed, I realize that the $GLOBAL('session') is an empty array when I tried to var_dump that inside permission function of admin class.

 

I also tried to install my plugin in old version of cubecart like 6.1.5, its working fine and the $GLOBAL('session') having value of admin_id.

 

Can anyone tell me what is the issue, what can I change to make it work on cubecart latest version ?

 

Best Regards,

Son

[bsmither]

Welcome son caocao! Glad to see you made it to the forums.

One of the differences between CC615 and the latest version is that a lot of XSS deterrence has been implemented. That means for many events, the correct security token needs to accompany the request. If that correct token is not there, the session will get discarded.

[son caocao]

Thanks @bsmither for quick reply,

Can you pls guide me or better if u can give me a sample how to attach a security token into an ajax request.

Actually, I cannot find any example on ajax request that attach security token for cubeCart.

 

Best Regards,

Son

 

And also, @bsmither

I have compare 2 versions 6.1.10 and 6.1.11,  it got successfully run on .1.10 but not on 1.11 and having same issue that I mentioned above

And the difference is in session.class.php, in 1.11 the session_prefix have change follow the ADMIN_CP.

$session_prefix = CC_SSL ? 'S' : '';
        if(ADMIN_CP) {
            $session_prefix .= '_ACP';    
        }

 

Not sure what is the purpose of that changing on session_prefix

[bsmither]

This may be the solution you are looking for:
https://github.com/cubecart/v6/issues/1771

[son caocao]

That's really helpful, thanks a lot