I'm working on a PHP project that implements bank payments provided by another company.
Let's assume that my webpage is http://www.mypage.com/
The payment is submitted by submitting a POST form, but the action is going to other server. http://www.otherdomain.com/payment
Post data contains an ID of the payment.
When the payment is completed, the response goes back to my website. http://www.mypage.com/payment_completed
After going back, the PHPSESSID cookie has changed, and therefore the user is being logged out.
I noticed, that this only happens in Firefox, and not in Chrome. The weird thing is that if I have more than one logged-in tabs open, the PHPSESSID changes only on the one page that did the POST to other server. Other tabs remain logged-in.
Is there a way to make sure that the session will not be destroyed in that one tab after sending a POST to other server?
My project is using Zend Framework.
Related
I'm having an issue with CSRF tokens on externally linked pages.
I have a chat bot in whatsapp that sends a user a one-time link to the site. They click the link and need to enter a PIN on the site in order to confirm a request (we do this so the user's PIN is never saved in plain text on whatsapp).
Like all forms on the site, the PIN page has a hidden CSRF token that gets submitted too. The CSRF token is generated in part with the session id, and on submission part of the validation is checking its for the current session.
I am seeing an issue where on some submissions of the PIN page that the CSRF validation is failing due to the session id being different from the initial page load request.
My guess on what is happening is that the user has an active session with the site already (lets call that session 001). They later get sent the whatsapp link which they click on. It looks like sometimes the browser does not send the existing session cookie (I assume due to some tightening on the SameSite policy stuff), so when the user lands on the PIN page the site sees it as a new visit and creates a new session 002. Then on submit of the form the browser sends the original "session 001" cookie. So the token CSRF token was generated with "session 002", but validated against session 002.
(It's probably worth noting this is a legacy system and no SameSite policy is being explicity set)
I don't want to be logging session ids in production so I can't think of a way to verify this is actually what is happening. I haven't been able replicate this behaviour in my dev environment yet.
Does this sound like a known thing that I am just not understanding well? Any ideas on ways to work around this issue?
Sessions don't work between browser tab reloads as a conceptual model (IMO) https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage. In your use-case, a session is between browser tab reloads (both by refresh, hard refresh or navigation by external link) barring reloads by 'back' button presses. So in short, you need your own session UUID generator and management. Try using UUID classes implemented in most web-server platforms.
localhost may work differently due to http stipulations, although I can't figure out why this wouldn't be reproducible in localhost.
How does I am login in the website still while I cleaned my cookies by my browser???
I have Firefox browser and I did the following operations.
first I want to login in a website, at first I send a request to the site and the site checks my input fields and if they are correct, So the website sends to my browser a value and the value will store in a cookie in my browser and then when I send the second request to the website, my browser sends the cookie value also with that and the website gets the cookie value and it compares with its value that was stored on the first request and if it is valid as the result I am login to the site still.
2- second, I go to the option item in the Firefox and then I go to the privacy and then I go to the clear all current history and then I clean the contents of the clear all current history and also the cookies.
3- And now I go to the site and I am login still in the site, while I cleaned the cookies from my browser and this is strange???
I am facing a really weird issue here.
I have two websites: **A** and **B**
**A** is the landing page (a micro website). **A** is running Joomla.
**B** - payment pages. Coded with CodeIgniter. Uses session library and stores session data in a database.
=================
Scenario:
a user visits a landing page (website A), chooses a service package and clicks buy. Then he is taken to the payment page (website B) and starts filling in his application form.
Once he is done, he is taken to a payment gateway (provided by SecureTrading) and makes a payment. After a successful payment, a user is taken back to website B, where he has to finish the last bit of his application.
Problems:
After a successful payment, user is redirected back to website B, but for some reason all session data is lost.
When does this happen:
Session data is lost only when a user is coming from the landing page (A).
If i start filling the application form without visiting the landing page at first, everything works just fine.
Why is this happening?
How do i fix this?
Make sure in your application/config.php file you have the following setting set to this value:
$config['cookie_domain'] = ".mysite.com";
Take note of the leading . which denotes that the cookie domain is site-wide. This will make sure the cookie can be accessed from all sub-domains. Here is more information on how cookie domains work. You should always setup this config option as it defaults to empty and will thus use the default cookie setting which in most setups is not what the developer will want.
I have a problem with cookies.
Basically I'm trying to store the user's session ID as a cookie like so:
setcookie("CheckoutSessionID",session_id(),time()+3600);
This works fine on my site, the cookie has the correct value and is valid for long enough. However, my site redirects to PayPal so the user can confirm a payment. The user is then redirected back to my site. It's when the user is redirected back to my site that ALL cookie variables are gone.
As in, print_r($_COOKIE), var_dump($_COOKIE) etc have no values. This only occurs after being directed to and from PayPal.
Any ideas as to why this is happening?
Thanks in advance for all help, I'm stumped!
Okay I've been digging quite deep and realised that an earlier question of mine is related:
PHP sessions and session_start()
Basically I had problems because PHP sessions were being deleted when I went to PayPal and back. However, I believe this was actually caused by the session COOKIE being destroyed, not the entire session.
I also found this topic here: Do PHP sessions get lost when directing to a payment gateway?
Answer given by someone suggests using a GET request with the return URL to send data back, instead of using cookies or sessions.
The whole reason I was using a cookie in the first place was to save the user's session ID, as the sessions weren't working properly, so basically I've just made my return URL something like this:
mydomain.co.uk/mypage.php?SessionID=[session ID goes here] and then obtained it then set the user's session ID to it.
Sorted! For now... I mean I'll probably end up hitting another brick wall due to cookies/sessions not working properly.
Thanks everyone for your help :)
Actually whatever is happening (cookie is being empty), logically it's right. When you submit a page/make request the browser sends the cookie from the client's computer with the request so that you can find the cookie in the cookie variable.
But once you redirect the user to another external page/site and come back again to your page then you should not get the cookie in the cookie variable because (in your case) when the user is getting back to your site from the paypal the paypal is not submitting the cookie with the request.
In this case you can save your data in the database before you redirect the user to the paypal and once the user comes back to your site you can retrieve that data from the database.
I got similar problem cookies being removed after redirect from Paypal.
it took me a while to figure out where was a problem.
Samesite=**"Strict"** // Removes cookies after redirect from Paypal.
Samesite=**"Lax"** // does not remove cookies after redirect from Paypal.
I have created a mobile version of a site. It uses the CodeIgniter session to store some data. This seemed okay on Blackberry a few weeks ago but now it is making multiple sessions on every page and therefore it can't access the session where the data is saved. This works fine on the desktop and iPhone. The cookies are being saved to the Blackberry. I've got it so that it using the database to save the data.
On every page it checks to see whether the phone is touch screen to show the page differently. There is also some other data. It's all being saved but into many sessions.
It's on a subdomain - m.domain.com so I'm wondering if the domain name for the cookie might need to be set differently.
EDIT:
I managed to sort it out by saving the session id in a different cookie and then calling that in a query to get the info. Thank you to the person who replied.
do you proceed you session-id on every link and every form? if not, and the client doesn't accept cookies the session will be lost on every new page load - exactly what you're describing.
EDIT: to correct that, take a look at the documentation (+ Passing the Session ID) - just add the SID-constant to all you links and forms, it will automatically be empty if the browser accepts cookies, so the url isn't that ugly for those clients.