I use Authlogic to process login / authentication / sessions, etc., and I use paypal to process my payment for subscribing to my website. For users whose trial period has expired, I would like to automatically log them after they go through the payment process in PayPal, but I canβt decide how to do this without a password. So my thread:
- Expired user logs in
- they expired, so I click them on the subscription page, tracking who they are, through my unique persistence_token field, which I insert into the parameter that is sent to paypal.
- when I receive a payment notification from paypal, I also receive my token, so I know which user paid, and I change their account accordingly.
- when they paid in paypal, the button to send them back to my site has a unique token of their order, so I can say that the one who just paid will go to this page "full subscription" and not anyone, just by typing the URL address in your browser.
- when they return from PayPal to the site, they still log out, and they must go through the registration / registration process.
In the situation above, since I get the order token in the parameters on the "subscription_complete" page, I know that the user is the same who just paid, and therefore I have enough information to trust them as if they were logged in. So, I would like them to automatically register them, i.e. created a UserSession record for them. But the problem is that I do not know their password (because the passwords have one-way encryption), and I need a password to create user_session.
So my question is: if I trust the current user but donβt know their password, can I register them anyway? If so, how?
source share