Returning users logged out intermittently after completing PayPal transaction

Hi,

On our site users sign in initially after which they have the ability to purchase credit via  a paypal 'Buy now' button.  Transactions have been going through fine in paypal sandbox however after being finally directed to the return url, users are frequently logged out automatically.

From the large number of posts/articles  i have gone through this appears to be a http://  to  https://  session issue.
Some have recommended passing the current session_id() through within the 'custom' variable in order to reinstate the session once the user returns to our site.

However this is patchy at best with the user still being frequently logged out automatically.
Please see my attempt at reinstating the session_id below.

The main login script is based around Jpmaster77's php login script.

Is the only stable alternative to somehow pass the username and password through the original form as hidden variables and then re-login the user on returning to the site?  If so can you please provide pointers on the best way of doing so.

// excerpt from return.php
 
$passedSessionID = $_POST['custom'];
// reinstate session value
session_id($passedSessionID);
 
// if payment_status = success   then run mysql update query
 
// finally user is redirected
header('Location:success.php');

Open in new window

rasoodockAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
How long do your client sessions persist?
0
Ray PaseurCommented:
I will post two "teaching sample" scripts that may be helpful.  Please look them over and post back here if you have questions about them.  You can install them and run them to see the behaviors.

First example: Details on how to set a cookie.
<?php // RAY_cookie_example.php
 
// RECEIVE FORM INPUT AND SET A COOKIE WITH THE NAME AND VALUES FROM THE FORM
// MAN PAGE: http://us.php.net/manual/en/function.setcookie.php
// TO SEE COOKIES IN FIREFOX, FOLLOW TOOLS => OPTIONS => PRIVACY => SHOW COOKIES
 
define('COOKIE_LIFE', 60*60*24); // A 24-HOUR DAY IN SECONDS ( = 86,400 )
 
if (!empty($_POST)) // IF THE FORM HAS BEEN POSTED
{
 
// TIDY UP THE POST INPUT
   $name = substr(clean_string($_POST["name"]),0,16);
   $data = substr(clean_string($_POST["data"]),0,16);
 
// BE SURE WE HAVE USEFUL INFORMATION
   if ( ($name == '') || ($data == '') ) die("MISSING INPUT: PLEASE <a href=\"$PHP_SELF\">TRY AGAIN</a>");
 
// CONSTRUCT THE COOKIE
// USE THIS TO MAKE COOKIE EXPIRE AT END OF BROWSER LIFE
   $cookie_expires	= 0;
 
// USE THIS TO MAKE A PERSISTENT COOKIE - DEFINE COOKIE_LIFE IN SECONDS - date('Z') IS UTC OFFSET IN SECONDS
   $cookie_expires	= time() + date('Z') + COOKIE_LIFE;
 
// CHOOSE THE COOKIE NAME AND VALUE
   $cookie_name 	= $name;
   $cookie_value	= $data;
 
// MAKE THE COOKIE AVAILABLE TO ALL DIRECTORY PATHS IN THE WWW ROOT
   $cookie_path	= '/';
 
// MAKE THE COOKIE AVAILABLE TO ALL SUBDOMAINS - DOMAIN NAME STARTS WITH DOT AND OMITS WWW (OR OTHER SUBDOMAINS).
   $x = explode('.', strtolower($_SERVER["HTTP_HOST"]));
   if (!is_array($x)) // MAYBE 'localhost'?
   {
      $cookie_domain = $x;
   } else // SOMETHING LIKE 'www2.atf70.whitehouse.gov'?
   {
      $y = count($x);
      $cookie_domain = '.' . $x[$y-2] . '.' . $x[$y-1];
   }
 
// MAKE THE COOKIE AVAILABLE TO HTTP, NOT JUST HTTPS
   $cookie_secure	= FALSE;
 
// HIDE COOKIE FROM JAVASCRIPT
   $cookie_http	= TRUE;
 
// SET THE COOKIE
   if (setcookie($cookie_name, $cookie_value, $cookie_expires, $cookie_path, $cookie_domain, $cookie_secure, $cookie_http))
   {
      echo "<br/>SUCCESS!  THE COOKIE HAS BEEN SET AND WILL BE AVAILABLE TO THE NEXT PAGE LOAD \n";
   } else {
      echo "<br/>FAILURE!  THE COOKIE WAS NOT SET AS EXPECTED \n";
   }
 
// AT THIS POINT, THE COOKIE HAS BEEN SET, BUT IT IS _NOT_ AVAILABLE TO THIS SCRIPT.  IT WILL BE AVAILABLE TO THE NEXT SCRIPT!
   echo '<pre>$_COOKIE CONTAINS '; var_dump($_COOKIE); echo "</pre>\n";
   echo '<pre>$_POST CONTAINS ';   var_dump($_POST);   echo "</pre>\n";
   echo "<br/>THE COOKIE HAS BEEN SET WITH THESE VALUES: \n";
   echo "<br/>COOKIE NAME: $cookie_name \n";
   echo "<br/>COOKIE VALUE: $cookie_value \n";
   echo "<br/>COOKIE EXPIRES: $cookie_expires ";
   echo " == " . date('r') . "\n";
   echo "<br/>COOKIE PATH: $cookie_path \n";
   echo "<br/>COOKIE DOMAIN: $cookie_domain \n";
   echo "<br/>COOKIE SECURE: "; var_dump($cookie_secure); echo " \n";
   echo "<br/>COOKIE HTTP: ";   var_dump($cookie_http);   echo " \n";
 
   echo "<br/>";
   echo "<br/>TO SEE THE COOKIES, IF ANY, <a href=\"$PHP_SELF\">CLICK HERE</a> \n";
   echo "<br/>";
}
 
// END OF SETTING THE COOKIE
?>
 
 
<form method="post">
COOKIE NAME: <input name="name" /><br/>
COOKIE DATA: <input name="data" /><br/>
<input type="submit" />
</form>
 
 
<?php
// SHOW THE COOKIE ARRAY, IF ANY
echo '<pre>$_COOKIE CONTAINS '; var_dump($_COOKIE); echo "</pre>\n";
 
 
// A FUNCTION TO FORCE A STRING TO CHARACTERS ONLY
function clean_string($string)
{
   return trim(ereg_replace('[^a-zA-Z0-9_]', '', $string));
}
?>

Open in new window

0
Ray PaseurCommented:
Second example: How to start sessions that work across subdomains, for example they will work for both http://www.domain.com and also http://domain.com
<?php // RAY_session_cookie_domain.php
// DEMONSTRATE HOW TO START SESSIONS THAT WORK IN DIFFERENT SUBDOMAINS
error_reporting(E_ALL);
 
 
// MAKE THE SESSION COOKIE AVAILABLE TO ALL SUBDOMAINS
// OUR GOAL IS A DOMAIN NAME THAT STARTS WITH DOT AND OMITS WWW OR OTHER SUBDOMAINS.
// BREAK THE HOST NAME APART AT THE DOTS
$x = explode('.', strtolower($_SERVER["HTTP_HOST"]));
if (!is_array($x)) // MAYBE 'localhost'?
{
   $host = $x;
} else // SOMETHING LIKE 'www2.atf70.whitehouse.gov'?
{
// USE THE LAST TWO POSITIONS TO MAKE THE HOST DOMAIN
   $y    = count($x);
   $host = '.' . $x[$y-2] . '.' . $x[$y-1];
}
 
// START THE SESSION AND SET THE COOKIE FOR ALL SUBDOMAINS
$sess_name = session_name();
if (session_start())
{
	setcookie($sess_name, session_id(), NULL, '/', $host, FALSE, TRUE);
}
 
 
 
// LOAD UP SOME INFORMATION TO SHOW SESSION CONTENTS
$_SESSION["cheese"] = "Cheddar";
if (!isset($_SESSION["count"])) $_SESSION["count"] = 0;
$_SESSION["count"] ++;
 
 
// PUT UP TWO LINKS WITH DIFFERENT SUBDOMAINS
$gost = substr($host,1); // STRIP OFF THE DOT THAT WAS NEEDED FOR SETCOOKIE
$dmn_link = 'http://'    . $gost . '/RAY_dump_session.php';
$www_link = 'http://www' . $host . '/RAY_dump_session.php';
 
echo "<br/><a target=\"_blank\" href=\"$www_link\">$www_link</a>\n";
echo "<br/><a target=\"_blank\" href=\"$dmn_link\">$dmn_link</a>\n";
 
 
// SHOW WHAT IS IN COOKIE AND IN $_SESSION
echo "<pre>";
echo "COOKIE ";
var_dump($_COOKIE);
echo "\n\n";
echo "SESSION ";
var_dump($_SESSION);
 
echo "</pre>\n";
 
 
 
?>
<form method="post">
<input type="submit" value="CLICK ME" />
</form>

Open in new window

0
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Ray PaseurCommented:
And lastly, this to help with data visualization.

Best regards, ~Ray
<?php // RAY_dump_session.php
error_reporting(E_ALL);
 
// START THE SESSION
session_start();
 
// DISPLAY THE VARS
echo "<pre>";
echo "COOKIE ";
var_dump($_COOKIE);
echo "\n\n";
echo "SESSION ";
var_dump($_SESSION);
 
 
 
echo "</pre>\n";

Open in new window

0
rasoodockAuthor Commented:
Hi Ray,

Many thanks for your response.  I haven't had a problem maintaining session across subdomain but instead between the https://www.paypal.com  site and our own site which does not have SSL.   I haven't yet set a timeout for client sessions.

A number of articles i've read suggest that the session is often destroyed upon entering the secured domain.  Essentially I need to know what is the most stable method of ensuring the user will definitely be logged in again and whether cookies are a reliable method of doing so.

Should the method i mentioned above re. passing the session_id  through the form and returning it actually work reliably?  

kind regards,

Brian
 
0
Ray PaseurCommented:
Brian, I've never lost a session by entering another web site, whether HTTPS or not.  You can lose a session between pages of your own web site if one page is HTTP and the other is HTTPS, and the cookie is set to be only valid for HTTPS.  And you can lose it for long periods of HTTP inactivity.

Use phpinfo() and look for the session variables - a timeout is set by default and you can find the value here.  Then read the postbelow and the one after it.  Not sure this is the problem, but it is quite possible.
http://us3.php.net/manual/en/function.session-cache-expire.php#68728

You might want to add var_dump($_SESSION); to the footer of your script while you are testing.

I do not know if passing the session ID will work any better than not passing it.  If the session is getting timed out or otherwise lost, the session ID will not point to a good session data file.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
Brian: thanks for the points.  It's a great question.  Hope things are on the right track for you now. ~Ray
0
rasoodockAuthor Commented:
Many thanks Ray.  Will definitely be going through with your suggestions re. cookies.  

cheers

Brian
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.