Some days ago the Magento security update SUPEE-8788 was released. This update fixes a number of critical vulnerabilities. To fix an existing shop one could either apply the SUPEE-patch or upgrade the shop to Magento 1.9.3. However, after updating I experienced a little issue when trying to reach the shop again. 

A PHP Exception popped up:

Notice: Undefined index: session_expire_timestamp  in /data/web/public/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php on line 461

Even after flushing the cache this problem appears. The undefined index and path of the file that raises the exception gives away that this problem might have to with Magento’s session handling. I started with deleting any existing session cookies in my browser. This made the error message disappear. Be aware that this is not an appropriate solution to this error!

Imagine all those visitors that either have an active session cookie or are currently using the shop. They will encounter this harsh error which will totally block their access to your shop. A proper remedy would involve finding the actual cause of the problem and then fixing it.

Cause of the problem

Let’s look for any occurrences of the text session_expire_timestamp in the Magento installation. Only the previously mentioned file is involved: _app/code/core/Mage/Core/Model/Session/Abstract/Varien.php. _Now let’s see if the recent 1.9.3 update has something to do with the problem. A look at the Git diff will show that the _session_expire_timestamp _key was added to the code with this update. Now take a look at line 461:

if ($this->useValidateSessionExpire()
    && $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] < time() ) {

The new key is used in checking the validity of the session timestamp. $sessionData comes from $this->_data[self::VALIDATOR_KEY];  but the _session_expire_timestamp _key is only added to the session by the $this->getValidatorData(); function and stored in $this->_data[…]  at the end of the function-call.

Thus the problem is that in existing sessions this _session_expire_timestamp _key is not available.

The solution: a simple fix

To solve this we will do the following: we modify this Magento core file to check first if the key exists before processing it. If not, we’ll add the key. Modifying core files normally is bad practise but in this scenario it makes perfectly sense: we don’t need the modification anymore when all old sessions expire and new guests automatically get the correct session data.

The _if-_block starting at line 460 now becomes:

if ($this->useValidateSessionExpire() ) {
    // If the VALIDATOR_SESSION_EXPIRE_TIMESTAMP key is not set, do it now
    if( !isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]) ) {
        // $this->_data is a reference to the $_SESSION variable so it will be automatically modified
        $this->_data[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] = time() + $this->getCookie()->getLifetime();
        return true;
    } elseif ( $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] < time() ) {
        return false;
} else {
        = $validatorData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP];

This assures that the comparison between time()  and the _session_expire_timestamp _is only executed when the key exists and that when a session is found that does not have the key (i.e. a pre 1.9.3 session) the key is added.

GitHub user Digital Pianism has added this fix to his repository of Magento fixes. Which can be easily installed using Modman.

Sponsored content