I have a some information stored on $_SESSION, the session is stored on the database through a custom session handler.
Is there a standard way to either 'impersonate' a session having a session id or clear specific variables from another session.
I am asking about this because I have my web application, with its session variables on its own working, this is an actual shopping cart with order information using paypal. Paypal returns a response of a payment through IPN (Notifications), which are request made from their server to my site. Those requests, of course, initiate their own sessions.
What I want to find is a way to clear the original session variable from the paypal notification request that sees a different session. Is there a way to do that?
One idea might be to manually edit the database in which the session data is stored, but I want to look for something standard, regardless of the session handlers.
I am asking about this because I have my web application, with its session variables on its own working, this is an actual shopping cart with order information using paypal. Paypal returns a response of a payment through IPN (Notifications), which are request made from their server to my site. Those requests, of course, initiate their own sessions.
What I want to find is a way to clear the original session variable from the paypal notification request that sees a different session. Is there a way to do that?
If you've found yourself needing to edit data in someone else's session, you shouldn't be storing that data in a session to begin with.
If you need to read or otherwise work with the IPNs, perhaps you should store them in the database in an actual table. You can associate the row with the user's session ID, or preferably with their login or email address.
Sessions work because of browser cookies. If you remove the cookie, it will create a new session. If you change your cookie to one for another session, you're now impersonating that session.
You can use Chrome's developer tools, or the Web Developer Firefox addon to get easy access to your browers' cookies.
Did you try to create a session array and giving an id to it.
like this
$_SESSION['ipn'] ="";
$_SESSION['ipn']= "Mescalito";
This shouldn't be necessary in the first place.
I'm fairly sure you can specify a unique job ID in the IPN. Use that unique ID to find out which user the notification belongs to, and edit their data. Don't fiddle with sessions for this, it's bad design.
Related
I am working on an android app that is actually gets user data from android device and then to put it on the server, like to get user name, password, email for registration purpose and then user login to access the app menu (to see list of products, search for products and to add his/her own product details in the list). So using cookies and sessions would be a good idea for my app. Cookies can be blocked by the user and sessions every time to login to access.
But as i am totally new to this concept of cookies and sessions so it would be good to ask a question here before i have to start, that which one should i use cookies or sessions ?
The user can not block cookies. Cookies are simply headers that you will send in each request.
Cookies are easier to handle on the server side. You will simply use $_SESSION["variable"] to get/set any variable for the user. It will simplify your life on the server. However, I think the main drawback will be maintainability and administration of sessions. For example, if a user logs in again on a different device and you want the first session to be invalidated. It is not very straight forward.
If you want to use sessions, you will probably save them in a table on some database. You will need to fetch the session details when you need them. This is sort of extra effort. Yet, database sessions provide some kind of administration capabilities straight away.
I prefer database sessions for what is stated above and some other reasons. However it is up to you
I want to get some user info using a html form, After submission, the user input is stored in a session and the user is redirected to paypal to perform payment operation. After the payment validation, the user will be redirected again to the website and the input will be stored in a database table.
The problem is : session variables are lost after the redirection to the website.
Any one for help?
Thank you.
That's a bad idea. Just because the user arrives on the target page doesn't mean they got there after being sent by PayPal. They can even spoof the Referer header to make it look like they did.
Instead, save their information BEFORE sending them to PayPal, then use PayPal's IPN system to update it and mark it as paid for.
From the php manual, session_start gets the session id from get, post, or cookie. It sounds like you're using cookies. To use cookies for sessions, you need to call session_start before sending anything to the browser. If this isn't the problem, workaround would be to set the session id as a get parameter and load the session based on that in the return page.
http://php.net/manual/en/function.session-start.php
i am developing a e-commerce website. The user logs in and buy a product when he checkout the page will redirect to the payment gateway. After the payment is completed it will return back to my website. This is ok. But when it is returning back the session maintained in my website get lost. This happen only for the first time. If the user again logged in and checkout the process works good and the session is maintaining.
Why does the session lost for first time.
I used session_start() in all the pages..
I cannot find the solutions. Kindly help..
Why don't you use javascript? You can create cookie to store your incoming members data.
With Jquery and cookie plugin you can do this very easy, sure you must do login for member to create this data. Some useful links:
http://www.jquery.com/
http://plugins.jquery.com/project/Cookie
http://www.electrictoolbox.com/jquery-cookies/
Why does the session lost for first time.
That's hard to tell because there is not much information in your question.
Normally a session get's lost if the session identifier (or session ID in short) is not passed from one request (page) to the other.
Please see the PHP Manual how the session ID can be passed. You need to take care with your code, for example that the cookie is properly set. If the session cookie is not set, the session id will be gone and session_start will create a new session.
I am looking for insights into how to destroy a specific session in PHP. Through a partner website a user logs into the main website using a token and obtains a full session.
It is also possible for the partner website to call a destroy function if the user logouts from the partner website. We should then also log out our own user.
What is the best approach to this? The Zend_Session destroy method does not accept a parameter, similarly the PHP function session_destroy does neither.
I am considering two options:
Removing the session information directly from file/memcache but would prefer a "cleaner" approach than this.
Checking at every page request if this is a "token" user ; and if then check if their token was expired by maintaining a list. This adds overhead to a busy website, but might be my only option.
Or is there a third / better approach I am not seeing?
There's no need to roll-your-own session handling.
session_id() can take a parameter, the session id you want to work with.
So, when you pass the user off to the partner site, pass along their session_id (or some token, or whatever).
Then allow the partner site to hit a script like this:
kill-user-session.php
<?php
/**
* Destroy any active session identified by $_POST['sid']
*/
session_id($_POST['sid']);
session_start(); //this line may not even be necessary
session_destroy(); //destroys that session.
So when the user logs out on the partner site, the partner site POSTs the session_id (that you gave them) to your kill-user-session script, and the user's session is destroyed on your server.
Of course, you probably want to limit access to kill-user-session.php via some method or another.
If you wish to be able to 'kick' the sessions of a user(s), the only way you can do it is if you use MySQL (or someother db, sqlite even) for your session storage.
Then you can simply remove entries from the db to kill a session.
This also allows you do do things such as, 'take control' of a specific user's session and other stuff :)
See this for a very basic run through: http://www.devshed.com/c/a/MySQL/Custom-Session-Management-Using-PHP-and-MySQL/ (not the best example but good enough full example to start you).
EDIT
Also, if logging out through the partner site, another method I have used in the past (which was with O2 and other such sites) they were given a 'callback' (REST API call in most cases) which they would also need to call when the user logs out of their site.
The database solution means that the session database needs to be shared between mainwebsite and the partner site, which frequently isn't the case etc. Maybe something along these trivial lines would suffice?
<img src="mainwebsite/logout.php">
mainwebsite/logout.php:
<?php session_destroy(); ?>
I have a CI app that takes orders online. I link each order to a session ID b/c anyone can order w/o logging in.
When the user clicks on check out, the session ID is sent to PayPal... in which case, the session ID sent back to me along with payment info.
Sometimes PayPal IPN (instant payment notification) gets delayed.. up to 24 hours. (Yes, not very "instant"). In which case, the session variables are already gone (i.e what & how many they ordered) since the session library clears it up.
In this case, I am sunk. So I thought about extending the sess_time_to_update to like 3 days...
Is there a downside to doing this? If so, what?
Is there a workaround that I can implement instead?
Store the session information in a database before sending them off to PayPal then when the IPN hits, have it look into the database to retrieve values. You should never use a session for something that critical and something THAT long.