CartIt allows only one item in the cart at a time after installing Google analytics
Have you recently installed Google Analytics to your site and found CartIt is broken?
If you visit a site which uses the CartIt shopping cart and has the Google analytics code (urchin.js or ga.js) installed you will get several cookies. One called __utmz breaks the ability of CartIt to read it’s own cookies because years ago, when Urchin first started using JavaScript cookies, the coder (or pointy headed boss) did not follow the standards (well, they were only suggestions and still are such). Standard cookies use the equals (=) sign as a delimiter so if the cookie contains multiple equals the application attempting to read the cookie mail fail if it was never intended to read this non-standard cookie.
RFC 2109 (the original Netscape proposal) lists a name=value pairing with “The VALUE is opaque to the user agent and may be anything the origin server chooses to send, possibly in a server-selected printable ASCII encoding”
So when Google is using characters which are also delimiters in cookie text, they should escape them using URL encoding such as “%3d” but they did not. The cookie is broken and has been for years, apparently there is no intention of correcting this as the newer analytics code (ga.js) creates the same broken cookie.
Unfortunately, when this __utmz cookie is set, it is set for *.domain.com, which is the same as what cartit sets. When your browser sends your broken __utmz cookie to your server, your shopping cart, cartit.cgi, creates a new shopper cookie and because it cannot match up the shopper (you) with a cart cookie, it makes a new cart cookie with your one item. So the result is only one item in the cart period until you remove the Google code, or “fix” the cart and then CLEAR all the cookies for the domain.
I have “fix” in quotes because the CartIt shopping cart is not really broken, cartit is a victim of Urchin/Google poor code. If the designers of cartit could have anticipated someone would:
1. Intentionally create software to create a cookie which appears to not URL encode field delimiters e. g. (=)
2. Intentionally install this broken software to create a cookie with invalid characters, thereby shooting you in the foot and breaking your ecommerce site
Why doesn’t google fix this? Well, there are many more people using Urchin than CartIt- and all you need to do to fix cartit is modify the cookie reading code on line 927 of cartitlib.cgi so it is straight-forward if you know PERL. This is not simply a cartit problem as there are doubtless many other programs which could be affected- anything on your server which reads cookies could choke on the __utmz broken cookie.
Here is an example of what the __utmz cookie contains
__utmz=247895813.1206552801.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); path=/; expires=Thu, 25 Sep 2008 05:33:20 GMT; domain=domain.com;
So it is fixable- but it’s an unfortunate fact poor code never seems to fade once implemented. In the end, you’ll likely have to pay someone to fix your (not really broken) cartit code. After all, the Google code is free- and it is worth having on most ecommerce sites- but you don’t need to change your site shopping cart as a result.