It's based on OpenACS 3.2.5, but somewhat modified (and mostly not by me).
I don't seem to have ad_verify_signature. What file is it supposed to be in?
What happens is that the user goes to ecommerce/checkout.tcl, and ad_verify_and_get_user_id sends them off to log in. The ad_session_id cookie is written properly at this point (I have read it back and verified that it is correct). Then they go back to checkout.tcl, which calls ad_verify_and_get_user_id which should succeed this time, but does not because when that cookie is read back in this time, the user_id is set to zero as you can see in my original post (it is the second field, delimited by commas).
It seems logical that something else is messing with it in the meantime, but I cannot figure out where that's happening.
I have grepped the code for IE-specific stuff but didn't find anything cookie-related. If you know of something, please let me know.
Dave's suggestion of watching the HTTP traffic is probably my best bet at this point.
Thanks guys - if you come up with anything else, I'm all ears (eyes? :).
