I have built an e-comm site that stores session variables for various uses, though the session is being unexpectedly destroyed and i cant work out why.
The session is being destroyed when a user is redirected back to my site after completing a PayPal payment or a SecurePay payment, but it only happens once, only the first time the completes a payment each day, if that makes sense. For example, if the same user comes an hour later and purchases something else, when the user is redirected back to my website after completeing the second payment the session is not destroyed, it works as intended.
Even when i am testing on non-live payment gateway such as sandbox it will destroy the session when redirecting back to my website, but only the first time, as soon and i make another test payment it will work fine, until the next morning when i try again and it will destroy the session again, etc.
I also now have a ssl certificate for my website as i had read that it could have been destroyed because it's redirecting from a HTTPS:// to a HTTP:// . But having the SSL makes no difference, the session is still being destroyed.
There is also absolutley no code to destroy the session on either of my PayPal or securepay returnURLS
Does anyone know why it might be causing this?
Related
I'm writing a website where the user logs in through conventional means. The login creates session variables so the site knows if and who is logged in.
There are products on the site that sell through Stripe. For ease I'm using Stripe's payment links. So you click a link on my site, it then visits Stripe's site to enter card details, then back to mine on checkout success.
My question is this: Are the session variables guaranteed to stay through that diversion so the user is still logged in when their payment is successful and they've been to Stripe and back or should I pass the customer id, etc. through the payment process and recreate all the session variables again once they arrive on the success page?
Yes and no...
The important thing to remember is that HTTP is completely stateless - every request is completely independent of any previous ones. As far as the web server is concerned, every time the user loads a new page that's equivalent to them "going away and coming back". Sessions work by telling the browser to associate a cookie with a particular domain, and then using that cookie to recognise that two requests came from the same user. As long as that cookie is still there, it doesn't matter if the user has visited another site in between, or opened a new browser window, or whatever.
However, it's a good idea to plan for what will happen if the cookie isn't there when they come back: customers tend to get very annoyed if you take the payment but don't complete the order. Another scenario to consider is that the payment completes but for whatever reason the user doesn't get redirected back at the end of the payment process (I've had this happen with malfunctioning security software on the user's PC, for instance).
A good approach if you can manage it is therefore to create a "pending" order in your system, with all the details of who was logged in and what they were trying to buy. Then you have a single ID you can pass through Stripe and receive for a successful payment. If the session disappears, you still know which order to confirm; and if orders get stuck in "pending" status for a long time, you can check in Stripe if a payment was actually made, and sort the order out manually.
i have a problem with what seems like session timing out and being destroyed, though i currently do not have it set to expire after a certain amount of time, nor do i have the session destroyed anywhere in the code.
Here's what happens in detail,
it's an e-comm site i have 90 % built which also has two payment gateways(PayPal and SecurePay).
first of all, i only have this problem when the website is uploaded to the web host(GoDaddy), i haven't experienced this issue using localhost.
The issue:
I can use my site, everything functioning normal, i can choose
products and checkout successfully through both payment gateways without issue.
When i am finished for the day i'll close the browser as per normal.
The next morning i will again open the browser and navigate to my
site. The website has still retained all the session information
and i can navigate to all my pages without issue, including my shopping cart(my shopping cart
especially relies on session data to work).
During the first time i go to check-out, with either payment gateway, everything functions fine until payment
gateway navigates back to my returnURL, where the session is somehow
destroyed, all the session data is gone and i am logged out.
This only occurs once, specifically the first time i test the
check-out process after a long period of inactivity. As i log
back in after the session is destroyed the issue is does not appear to
happen again, until the next morning.
I would also like to add that the return
urls are quite different for each payment gateway, the PayPal returnURL is a page where
the order is still being processed and the user can change shipping methods rates, SecurePay returns to a page where the
transaction is complete and an invoice is genrated, though the result is the same and the session is destroyed when returning from either payment gateway to the return url.
To fix this i was just going to expire the session after 1 hour of session inactivity. But i'm curios why the session would be destroyed only after returning from the payment gateway and not as soon as the page is opened after such period of inactivity?
I'm creating a session variable in one PHP page and on that page I am redirecting to an online payment portal.
After payment, the user is redirected to a payment success page on my server. Will the session variable still be valid?
The above answers are true if you are storing sessions using cookies. If cookies are disabled then a PHP_SESSION parameter will be passed in the URL. For the returning user to be able to continue using the session the payment gateway would need to redirect back with the same session hash.
As stated if you are using the default PHP session settings then cookies should be in use and this would not be an issue. What about the users whom may have cookies disabled, your flow will break. Chances are slim and the amount of users effected may be small.
i am having a problem with the way that i am trying to delete some session variables when dealing with paypal and ipn.specifically, i want to have someone logged in (or not) at my online retail store, go through my cart, get redirected to paypal for payment, and then get redirected to my site.
i have been using paypal ipn to get paypal to notify me when the payment is complete and i can direct the user back to my site where the session can be started again, but i want to be able to unset the cart (but not the entire session in case they are logged in) as soon as the payment is complete. this would be to cover my bases in case the user does not land back on the payment completed page on my site but gets back on the site on a different page.
the problem is that although i am getting the same session id both at the last shipping info page on my site before going to paypal, and the landing page back on my site from paypal when the payment is completed i cannot access this session in my ipn script that runs on my site in response to paypal. i am running session_start() on each of these three pages but when i email or post on the shipping method page and the payment complete landing page i get the same session id. when i email myself the result of session id in my ipn script, i get nothing.
i could kill the cart before going to paypal but what if they wanted to go back and change things? i could kill the cart on the landing page, but what if they get to a different page somehow? i would really like to destroy the cart but not the entire session right when i get payment confirmation but i am not sure how. i have tried this on my ipn page:
session_start();
$a = session_id();
mail("webmaster#mysite.com", "ipn session id 0", $a, "From: webmaster#mysite.com");
//results in blank email, unlike in other locations on actual displayed pages
// Unset all of the session variables.
$_SESSION = array();
// Delete the session cookie to kill the session
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
// Finally, destroy the session.
session_destroy();
unset($_SESSION['cart']);
unset($_SESSION['product_id_array']);
unset($_SESSION['pp_checkout_btn']);
unset($_SESSION['state']);
unset($_SESSION['total']);
unset($_SESSION['shipping']);
unset($_SESSION['grand_total']);
but when i go back to the view cart page, it is still there. any ideas would be greatly appreciated. any more specific code that would help, let me know and i will post it up.
The Paypal IPN call is made by Paypal and is server-to-server only. You also don't know when that IPN call is coming. Usually they happen within seconds, but they can come much later. If the IPN call fails, they will retry again for some time. You cannot do anything related to the users session in the IPN. Each user has it's own session and you can't edit anyone else's. In this situation, your user has a session, and Paypal (the IPN call) gets it's own session.
You'll have to clear the session variables on the return to your site after successful payment. It's not foolproof - there are possibilities that the cart still won't be cleared, but this is pretty much the only way to do it.
I need all active sessions to be destroyed when I call a certain function. This function when called needs to destory all sessions NOT immediately but after exactly 30 seconds. Even if the user leaves the page where the session was called before the 30 seconds, his browser should still be cleared of all sessions so when he comes back to the site none of those sessions will be active.
Is this possible? If so how would one go about writing such a function?
EDIT
As for why I need this, I have a shopping cart script that when submitted takes the user to paypal to process payment. If I destroy all sessions when the submit button on that payment form is clicked, I can;t pass all the form data onto paypal. If I don't destroy all sessions, when the user comes back to the site the shopping cart is still filled with the contents he purchased before.
I need the cart to be empty when the user comes back. I figured 30 seconds will give the user ample time to go to the paypal page by which point my cart script has already sent all necessary info to paypal. And then destroying all sessions is safe without fearing disruption to service.
So what I need is sort of a timer script that will work on the server side and will destroy the sessions even when the user is no longer on that page.
See http://bytes.com/topic/php/answers/4134-when-how-php-session-expire-can-i-set-minutes-inactivity
Ok, so nevermind my hairbrained sleep() approach.
Set a flag in the session, before you send them over to paypal. Check this flag and clear the session/cart if it's set.