i have a problem with what seems like session timing out and being destroyed, though i currently do not have it set to expire after a certain amount of time, nor do i have the session destroyed anywhere in the code.
Here's what happens in detail,
it's an e-comm site i have 90 % built which also has two payment gateways(PayPal and SecurePay).
first of all, i only have this problem when the website is uploaded to the web host(GoDaddy), i haven't experienced this issue using localhost.
The issue:
I can use my site, everything functioning normal, i can choose
products and checkout successfully through both payment gateways without issue.
When i am finished for the day i'll close the browser as per normal.
The next morning i will again open the browser and navigate to my
site. The website has still retained all the session information
and i can navigate to all my pages without issue, including my shopping cart(my shopping cart
especially relies on session data to work).
During the first time i go to check-out, with either payment gateway, everything functions fine until payment
gateway navigates back to my returnURL, where the session is somehow
destroyed, all the session data is gone and i am logged out.
This only occurs once, specifically the first time i test the
check-out process after a long period of inactivity. As i log
back in after the session is destroyed the issue is does not appear to
happen again, until the next morning.
I would also like to add that the return
urls are quite different for each payment gateway, the PayPal returnURL is a page where
the order is still being processed and the user can change shipping methods rates, SecurePay returns to a page where the
transaction is complete and an invoice is genrated, though the result is the same and the session is destroyed when returning from either payment gateway to the return url.
To fix this i was just going to expire the session after 1 hour of session inactivity. But i'm curios why the session would be destroyed only after returning from the payment gateway and not as soon as the page is opened after such period of inactivity?
Related
I'm writing a website where the user logs in through conventional means. The login creates session variables so the site knows if and who is logged in.
There are products on the site that sell through Stripe. For ease I'm using Stripe's payment links. So you click a link on my site, it then visits Stripe's site to enter card details, then back to mine on checkout success.
My question is this: Are the session variables guaranteed to stay through that diversion so the user is still logged in when their payment is successful and they've been to Stripe and back or should I pass the customer id, etc. through the payment process and recreate all the session variables again once they arrive on the success page?
Yes and no...
The important thing to remember is that HTTP is completely stateless - every request is completely independent of any previous ones. As far as the web server is concerned, every time the user loads a new page that's equivalent to them "going away and coming back". Sessions work by telling the browser to associate a cookie with a particular domain, and then using that cookie to recognise that two requests came from the same user. As long as that cookie is still there, it doesn't matter if the user has visited another site in between, or opened a new browser window, or whatever.
However, it's a good idea to plan for what will happen if the cookie isn't there when they come back: customers tend to get very annoyed if you take the payment but don't complete the order. Another scenario to consider is that the payment completes but for whatever reason the user doesn't get redirected back at the end of the payment process (I've had this happen with malfunctioning security software on the user's PC, for instance).
A good approach if you can manage it is therefore to create a "pending" order in your system, with all the details of who was logged in and what they were trying to buy. Then you have a single ID you can pass through Stripe and receive for a successful payment. If the session disappears, you still know which order to confirm; and if orders get stuck in "pending" status for a long time, you can check in Stripe if a payment was actually made, and sort the order out manually.
I am working on an e-commerce test website.
in my checkout page session is on works fine.
after checkout, redirecting to payu money gateway website for payment
after payment it is redirecting to my e-commerce website. Now my session gets destroyed.
It shouldn't destroy until unless the user logs out from the website.
It is not my code problem, because it is redirecting to my website from payu website. but the session is automatic gets destroyed
I have a solution after implementing on the ecommerce i can say it actually happens-
1.just store the information like transation_id,user_id and status.
2.On the behlaf of the responce it will return transation_id so we can easily handle by transation_id and status.
before starting your session:
maybe try this:
// 1 week = 604800 seconds
// server should keep session data for exactly (or at least) 1 week
ini_set('session.gc_maxlifetime', 604800);
// each client should remember their session id for EXACTLY 1 week
session_set_cookie_params(604800);
session_start(); // start the session
I have an ecommerce shop online using php, sql, javascript,ajax and sessions.
I have both guest and members cart options at checkout.
Everything works fine.
I store my cart items in a session currently.
Users can log in or have a guest cart.
Guests cart userids are referenced by the current session id.
members can login and their carts are referenced by their usersids from the database.
The problem is, the session expires after a certain amount of time and so the cart items are lost and the user has to start again.
On doing some research I have found that after the user logs in, I can store his user id in a cookie and I can specify how long that cookie lasts for which is ideal!
I am thinking of changing the code so that I store the items added to the cart in my database tables and simply reference them with the user id ive stored in his cookie.
That way He can shop for ages and not lose his cart and I can send abandon cart emails etc...
I think this would work well as nearly every website uses cookies so people have to have them enabled in their browser these days. I could show a warning message if cookies arent enabled anyway..
What does everyone think about this?
Please note I am not seeking security advice here.
I havent implemented this as yet - Im really looking to see if I can set my session lifetime to last a few hours/days instead.
I see your problem with Guest checkout and normal checkout after login.
You can go and use cookies rather than using sessions for this.
Cookie have setcookie() function with time() method.
You can set an Expiry time for that.
Go and use, it can help you
I have built an e-comm site that stores session variables for various uses, though the session is being unexpectedly destroyed and i cant work out why.
The session is being destroyed when a user is redirected back to my site after completing a PayPal payment or a SecurePay payment, but it only happens once, only the first time the completes a payment each day, if that makes sense. For example, if the same user comes an hour later and purchases something else, when the user is redirected back to my website after completeing the second payment the session is not destroyed, it works as intended.
Even when i am testing on non-live payment gateway such as sandbox it will destroy the session when redirecting back to my website, but only the first time, as soon and i make another test payment it will work fine, until the next morning when i try again and it will destroy the session again, etc.
I also now have a ssl certificate for my website as i had read that it could have been destroyed because it's redirecting from a HTTPS:// to a HTTP:// . But having the SSL makes no difference, the session is still being destroyed.
There is also absolutley no code to destroy the session on either of my PayPal or securepay returnURLS
Does anyone know why it might be causing this?
I need all active sessions to be destroyed when I call a certain function. This function when called needs to destory all sessions NOT immediately but after exactly 30 seconds. Even if the user leaves the page where the session was called before the 30 seconds, his browser should still be cleared of all sessions so when he comes back to the site none of those sessions will be active.
Is this possible? If so how would one go about writing such a function?
EDIT
As for why I need this, I have a shopping cart script that when submitted takes the user to paypal to process payment. If I destroy all sessions when the submit button on that payment form is clicked, I can;t pass all the form data onto paypal. If I don't destroy all sessions, when the user comes back to the site the shopping cart is still filled with the contents he purchased before.
I need the cart to be empty when the user comes back. I figured 30 seconds will give the user ample time to go to the paypal page by which point my cart script has already sent all necessary info to paypal. And then destroying all sessions is safe without fearing disruption to service.
So what I need is sort of a timer script that will work on the server side and will destroy the sessions even when the user is no longer on that page.
See http://bytes.com/topic/php/answers/4134-when-how-php-session-expire-can-i-set-minutes-inactivity
Ok, so nevermind my hairbrained sleep() approach.
Set a flag in the session, before you send them over to paypal. Check this flag and clear the session/cart if it's set.