Fix Magento 1.9.3 ‘Notice: Undefined index: session_expire_timestamp in … on line 461’

Some days ago the Magento security update SUPEE-8788 was released. This update fixes a number of critical vulnerabilities. To fix an existing shop one could either apply the SUPEE-patch or upgrade the shop to Magento 1.9.3. However, after updating I experienced a little issue when trying to reach the shop again. 

A PHP Exception popped up:

Even after flushing the cache this problem appears. The undefined index and path of the file that raises the exception gives away that this problem might have to with Magento’s session handling. I started with deleting any existing session cookies in my browser. This made the error message disappear. Be aware that this is not an appropriate solution to this error!

Imagine all those visitors that either have an active session cookie or are currently using the shop. They will encounter this harsh error which will totally block their access to your shop. A proper remedy would involve finding the actual cause of the problem and then fixing it.

Cause of the problem

Let’s look for any occurrences of the text session_expire_timestamp in the Magento installation. Only the previously mentioned file is involved: app/code/core/Mage/Core/Model/Session/Abstract/Varien.php. Now let’s see if the recent 1.9.3 update has something to do with the problem. A look at the Git diff will show that the session_expire_timestamp key was added to the code with this update. Now take a look at line 461:

The new key is used in checking the validity of the session timestamp. $sessionData comes from $this->_data[self::VALIDATOR_KEY];  but the session_expire_timestamp key is only added to the session by the  $this->getValidatorData(); function and stored in $this->_data[...]  at the end of the function-call.

Thus the problem is that in existing sessions this session_expire_timestamp key is not available.

The solution: a simple fix

To solve this we will do the following: we modify this Magento core file to check first if the key exists before processing it. If not, we’ll add the key. Modifying core files normally is bad practise but in this scenario it makes perfectly sense: we don’t need the modification anymore when all old sessions expire and new guests automatically get the correct session data.

The if-block starting at line 460 now becomes:

This assures that the comparison between time()  and the session_expire_timestamp is only executed when the key exists and that when a session is found that does not have the key (i.e. a pre 1.9.3 session) the key is added.

GitHub user Digital Pianism has added this fix to his repository of Magento fixes. Which can be easily installed using Modman.

Sponsored content 

  • Hi, this fix will destroy all the existing sessions, no?

    • Tom

      The session will be invalidated because of missing expire timestamp. To solve this I will change the code such that an existing session will get an expire timestamp in the future.

      • Tom

        Done, key will be set if not already and the (old) session is positively validated.

  • Digital Pianism

    Great job, I have added your fix to the bug fixes repo:

    • Tom

      Nice, I will mention your repo.

  • Nicholas Yang

    Thanks for the post. It helped me track down a possibly related issue. Occasionally, my session file seems to get initialized with the value of current time, instead of (time() + cookie lifetime). The _validate() function keeps returning false in the noted block of code above, so I can’t login until: 1) clearing that session file, 2) changing session_expire_timestamp, 3) commenting out the line that returns false for the supposed invalid session_expire_timestamp. Is there any reason the session data might receive the wrong value for session_expire_timestamp?

  • Chris Astley

    I came across this issue but did a different fix to resolve my issue. In file app/code/core/Mage/Core/Model/Session/Abstract/Varien.php I changed this from line 35;
    const VALIDATOR_SESSION_EXPIRE_TIMESTAMP = ‘_session_expire_timestamp’;
    const VALIDATOR_SESSION_EXPIRE_TIMESTAMP = ‘session_expire_timestamp’;

    Just remove the underscore and it works fine.

    • Nicholas Yang

      My Varien.php file already has the const without the underscore. I did an upgrade in Magento Connect from ->