Geek Answers Handbook

How to reinitialize a session in PHP?

I am trying to integrate an existing payment platform into my online store. After a successful transaction, the payment platform sends a request to the URL in my application with the transaction identifier included in the request parameters.

However, I need to do some post-processing, for example, send an order confirmation, etc. To do this, I need access to the user session, since a lot of information about the order is stored there. To do this, I include session_id in the intial XML request and do the following after the transaction is completed:

$sessionId = 'foo'; // the sessionId is succesfully retrieved from the XML response session_id($sessionId); session_start();

The above code works fine, but $_SESSION is still empty. Am I forgetting something or is it just not possible?

EDIT:

Thanks for all the answers. The problem has not yet been resolved. As already mentioned, it is strange that I can successfully start a new session using session_id, which belongs to the user who placed the order. Any other ideas?

+3
source share
7 answers

Thanks so much for all the answers.

Smazurov's answer got me thinking and made me skip my PHP configuration again.

The default behavior of PHP is not to encrypt session-related data, which should allow reading session data after restarting the old session from another client. However, I use Suhosin to fix and prevent some security issues. The default Sukhozi behavior is to encrypt session data based on the User Agent , which makes it difficult to read other sessions.

It was also the cause of my problems; disabling this behavior solved the problem.

+1
source

Not quite what you are asking for, but you do not need to save the order in the database before sending the customer for payment services? It is better to rely on the saved data during the subsequent processing of the order when you receive a payment confirmation.

Using sessions is not reliable, since you will not know how long this confirmation will be accepted (usually it is instantaneous, but in rare cases it will have a delay).

In addition, if you restart your web server during this period of time, you will lose the relevant data.

Third question: if you have a load balancing solution with individual session management (very common), then you will not be guaranteed that the payment server and your client will reach the same web server (since stickiness is usually the source of -ip) .

+4
source

I dare to suggest that since the domains are different from where the session is installed, where you are trying to read it, php plays it safely and does not retrieve the session data set by another domain. He does this in an attempt to maintain security if someone has to guess the session identifier and capture data.

A workaround for this, assuming that the exchange is on the same physical disk, is temporary data on a serialized write order (and possibly encrypted depending on which number or full credit card number is being tracked, which is a whole other story) a file that is once read by the receiving party is immediately deleted.

In essence, everything that does duplicates the functionality that you are trying to get out of sessions without the annoying side effects of security.

+3
source

Make sure you close the current session before trying to start a new one. So you should do:

 $id = 'abc123'; session_write_close(); session_id($id); session_start();
0
source

Dirty, but worked for me:

Let the payment gateway use

 http://yourdomain.com/callbackurl.php?PHPSESSID=SESSIONIDHERE

PHP uses this method of transferring the session around itself if you set certain configuration vars (session.use_trans_sid), and it seems to work even if PHP was told not to. Of course, he always worked for me.

Edit:

Perhaps the problem is that you have set session.auto_start to true, so the session starts automatically using any identifier that it generates before running your code.

-one
source

How to do this on another PHP page and you enable / redirect the iframe to the second page?

-one
source

I am not sure how long between your transaction and your verification; but it certainly seems that your session cookie has expired. Sessions usually end after 45 minutes or so by default. This will free up more uniqid to use php and prevent potential session hijacking.

I'm not sure if you have a custom session handler and it is stored in the database, but guessing your posts and comments on this page, I would assume that it is stored in files on the server side.

Now the solution to your problem is to bite the bullet and save the necessary data in the database and access it through the session identifier, even if it means creating another table that will sit next to your order table.

If, however, you perform the action immediately, then another explanation is that the user either logged out or committed an action that destroyed their session (deleting the cookie on the server side).

You will see these cookies in the / tmp servers folder, try to find your cookie, it should be called "sess" + $ session_id.

-one
source

More articles:


All Articles