Some of our customers experience “Sorry, your session has expired. Return to cart” message when trying to purchase products from us via our WooCommerce checkout page

Hello All,

Now and again (once or twice every week or two), we notice some of our customers receiving the following message on our WordPress site after clicking the pay now button on our WooCommerce checkout page → “Sorry, your session has expired. Return to cart.” This mainly occurs on mobile devices. Are there any Cloudflare (mobile) optimization settings that could be causing this issue, especially regarding WordPress user sessions?

Has anyone else experienced a similar issue? If so, how did you resolve it? Unfortunately, I have not been able to reproduce this issue. Although, I have Hot Jar recordings of a few customers who have.

I appreciate any help and insight.

Many things out there relying on e.g. sessions as described, can similarly have certain session restrictions applied, to avoid that private session information (such as e.g. your login data) becomes compromised.

One thing that sessions can be (and, at least in the past - commonly have been) limited to, would be the IP address that the user originate from.

Since you mention mobile devices, it sounds like they are most likely roaming between between multiple IP addresses, and that the WooCommerce session could be restricted based on the IP address that the user originally originated from.

Roaming from e.g. towards might not do any difference at all, but if they are roaming all the way from e.g. to or, there is quite a bit of difference from the IP address it had, to the IP address it have now, and that could kill a session, if the session is being tied to the IP address(es).

Switching between their cellular data connection and e.g. their home WIFI, would be one of many ways that would typically cause a switch of the public IP address(es) the device originate from.

Depending on how your stuff is being operated, you might also want to look at e.g. “Restoring original visitor IPs”:

Under the condition that you are not properly restoring the original visitor IPs, the IP addresses that I reach your site through, would appear as Cloudflare IP addresses, on Proxied (:orange:) records.

If my ISP originally routed me through Cloudflare’s datacenter in Copenhagen while connecting towards your site, but that my ISP (for whatever reason) is now sending me through Cloudflare Stockholm instead, then that would also give you a very different set of IP addresses, and could cause similar issues due to such IP or IP-range restricted sessions.

I believe the above would be the best plausible reason I can find, based on the explanation you provided.

Whether or not (including eventually how) WordPress/WooCommerce would allow you to adjust any eventual restrictions on their sessions, would be something you would need to coordinate with them though.

1 Like

Thank you for taking the time to respond to me. From my knowledge, Wordpress uses cookies to keep track of sessions in addition to database records. This is partly to enable users to switch between IP addresses. I was wondering if Clouldflare could be caching certain aspects of a user’s session due to some of my settings. Unfortunately, it is challenging for me to reproduce this issue on my end.