Did no one else have this problem?
Having just applied the August 06 update to my site which will be going live shortly, I found exactly the same problem.
The problem occurs because in the August 06 update, tep_session_start() is modified:
function tep_session_start() {
return session_start();
}
now becomes:
function tep_session_start() {
global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;
$sane_session_id = true;
if (isset($HTTP_GET_VARS[tep_session_name()])) {
if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) {
unset($HTTP_GET_VARS[tep_session_name()]);
$sane_session_id = false;
}
} elseif (isset($HTTP_POST_VARS[tep_session_name()])) {
if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) {
unset($HTTP_POST_VARS[tep_session_name()]);
$sane_session_id = false;
}
} elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) {
if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) {
$session_data = session_get_cookie_params();
setcookie(tep_session_name(), '', time()-42000, $session_data['path'], $session_data['domain']);
$sane_session_id = false;
}
}
if ($sane_session_id == false) {
tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));
}
return session_start();
}
The knock on effect is that code in protx_form.php which previously worked is now broken:
if ($Status != 'OK') {
tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, tep_session_name() . '=' . $HTTP_POST_VARS[tep_session_name()] . '&error_message=' . urlencode($StatusDetail), 'SSL', false, false));
}
Upon inspection, $HTTP_POST_VARS[tep_session_name()] does not contain the session ID (it's an empty string). Therefore I changed the redirect to:
tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode($StatusDetail), 'SSL', false, false));
And all appears to be working as it should.
Can someone with a bit more knowledge of payment modules confirm that what I have done is okay?
New 
