I want to create a session-less, cookie-less shopping cart. Where should I start? I am having issues on third-party cookies with Safari (eventually Firefox too) so I cannot use sessions for my cart.
If you have issues with cookies only you can use session without cookies.
Turn off using cookie with session.use_cookies=0 and session.use_only_cookies=0, and turn on trans sid session.use_trans_sid=1. When use_trans_sid is enabled the session id is attached to the every URL.
But it could that you will need to manually add PHPSESSID to your links.
Related
I'm testing a new Magento site. I see each time a customer selects a product, if cookies are NOT enabled, they are unable to add product to the cart. Searching for a solution, I found a message that can be enabled to popup telling the customers cookies need to be enabled.... That's great but if a customer doesn't want to enable cookies a sale is lost.
Is there a away to disable Magento from even checking if you have cookies enabled or disabled? In other words, I don't care if the customers have cookies enabled or disabled.
Or is that the way Magento is created- Meaning it was created to check cookies in order to add product(s) to cart?
In order to maintain sessions so the cart will work when cookies are not being accepted by the client, you will have to enable SID with the Use SID on Frontend setting on the System=>Configuration=>Web=>Session Validation Settings section.
This adds an SID= parameter to the URL string.
Play with the above to see if it's stable enough in your environment to do what you're attempting to do, it's normally intended for use on sites that have certain issues when switching from insecure http to secure https or have the secure domain on a separate domain from the insecure content domain and is expected to be a supplement to SID cookies.
Magento expects cookies to be passed because you need to maintain state in order to have a cart remember who you are. This is done by establishing a session and then exchanging a cookie token back and forth so the customer/webserver interaction all connects together during the cookie lifetime. Things usually go south pretty quickly if you don't allow cookies to be set and you start having issues like Magento creating a new cart every time something is added to the cart, disappearing cart contents and general inability to use customer accounts.
I'm creating a session variable in one PHP page and on that page I am redirecting to an online payment portal.
After payment, the user is redirected to a payment success page on my server. Will the session variable still be valid?
The above answers are true if you are storing sessions using cookies. If cookies are disabled then a PHP_SESSION parameter will be passed in the URL. For the returning user to be able to continue using the session the payment gateway would need to redirect back with the same session hash.
As stated if you are using the default PHP session settings then cookies should be in use and this would not be an issue. What about the users whom may have cookies disabled, your flow will break. Chances are slim and the amount of users effected may be small.
I have one user portal account. I'm logging into it with two different usernames in two different tabs.
When I do a hard refresh (ctl+f5) in both tabs of the same user account, it opens in both tabs. That can be any username from those two. What can I do to fix this problem?
Session's mechanism uses COOKIEs. COOKIEs are shared between tabs.
If you what to login with one browser session by two differnet users you can disable storing session id in cookie: PHP session without cookies.
Also you can use feature of browsers. FireFox's Private browsing for example.
PHP's sessions. Basic usage.
PHP's sessions. Passing the Session ID.
You cant login on same website on same browser with two different user. Better you use two different browsers.
One option would be to avoid session cookies. Add the PHPSESSID variable to the query string, or have it in the path and use URL rewriting or PATH_INFO to translate /x/y.php/925235a... etc to /x/y.php?PHPSESSID=925235a.... You can actually tell PHP to do the first for you.
Note, in order for this to work, you'll need to say something like
ini_set('session.use_cookies', false);
or the like, in your script before calling session_start(). Then PHP won't send session cookies; in most cases it will just transparently rewrite URLs in your page to include the session ID, so you get the first option for free.
The biggest drawback to this approach is that it makes your users vulnerable to an attack called "session fixation". If i hand you a URL that already has a session ID, and you click it and log in to the site, you've logged in my session for me and i can now visit the site as you. One way around that is to switch to a new session when someone logs in...but if your app is a shopping cart, it can be annoying making people log in to buy something.
Second biggest: If a user follows a link that doesn't have a session ID, PHP won't recognize them. (The user can use the "Back" button to get back to a point where they have a session ID, but that sucks usabilitywise.) You have to ensure that the session ID appears in every link or URL. Fortunately, PHP will rewrite most of them for you, but any links you generate with JS and such, you'll have to do yourself.
I'm using a PHP session variable to keep track of cart data before checkout. I've tested multiple computers and every browser on each computer, and the session variable is maintained between the cart and checkout screen. However, on the client's computers the data disappears some of the time, and a new session is started on the new page. We've never been able to replicate the problem.
Between those two pages we move to a different directory and move from http: to https:, but in testing we've been able to keep session variables even while doing that on this site. The client also has enabled third-party cookies. I've looked at solutions for similar problems but they haven't helped.
Any help would be appreciated.
I've worked on similar projects, but we were jumping domains (example.com -> secure.example.com) for checkout. The solution we used was to push the data into cache and add the cache key to the url. This way when the user landed on secure.example.com, we could get the cache key from the querystring, lookup the data in cache, and load necessary data. With this solution you never need to worry about session alignment.
It's a php based web store without user logins because all of the payments are handled via paypal. My question is what would you guys suggest for the shopping cart - cookies, sessions, or both? I'm not too concerned with the longevity of the shopping cart's contents be I'd like for the user to be able to click around and do a few things before they commit the order. I'm leaning towards sessions because some people may still disable cookies on their machines.
PHP sessions use a cookie with the session id to track the user. I would go with sessions since it will handle all of the identification for you and make things easier and more transparent.
It is also possible to use sessions with no cookies and it will pass the session id around in the URL. That in some cases can be a security risk, but perhaps not so much in your situation.
By default, PHP sets a cookie on the visitor's browser to know which session id to use anyway, so the only real difference between the three options in the end would be how much data gets sent up to your server during the request.
That being said, you can also use sessions without cookies by making sure to add ?session_id={session_id();} to all of your internal links and the following to the beginning of every page:
if (isset($_GET ['session_id'])
session_id($_GET ['session_id'])
session_start();
So, recommend using sessions.