0

So I'm trying to modify a system that currently works like this:

  1. prepayment.php Gathers the information of the customer and posts it
  2. pay_info.php Creates a session and displays more information about the payment
  3. payment.php displays more information about the payment
  4. creditcardpay.php displays MORE information about the payment
  5. com_web_process.php Sends the information to a bank, posting it to https://migs.mastercard.com.au/vpcpay
  6. Then you jump in to the bank API which is not hosted in our server
  7. When you are done doing the transfer, the bank returns the user to credit_card_process.php in our server, along with transfer information.
  8. credit_card_process.php receives the receipt number and transfer information and prints a receipt with it and information previously stored in the session.

First question: Im not sure how this works, is the session staying alive even when the customer is sent to another server? or does it stay in our server and when the user gets back the variables are still there? (If so, how does it recognizes the user?)

And second:

The process is too long,the customer receives redundant information in 3 pages which I want to remove, sumarizing everything in prepayment.php and send the information to com_web_process.php to be processed immediately (Removing steps 2-4)

I can get the information to the bank API and the deposit works just nicely. However when it gets back to our server in the file credit_card_process.php it prints the information generated by the bank (receipt etc) but the information that was stored in session variables (cusotmer's email, name, country of residency) doesnt displays.

if it helps I can post either all the files, or the parts I consider most relevant (which would be the session variable and such)

Funny thing is I tested by printing the variables in com_web_process.php and they show properly, but they get lost when going to the bank and coming back.

Files in order of appearance:

pre_payment.php

form name="frm_main" action="pay_info.php?lang=" method="post" onSubmit="return validate_register();"

      //customer information

Pay_info.php

$last_url=$_SERVER['HTTP_REFERER']; // im not sure what this does

$last_name=$_POST["last_name"]; // get the customer data in variables (I dont see why they did this instead of doing post directly to session variables)

$_SESSION['first_name']=$first_name; // get the variables in to session variables

form name="frm_main" action="payment.php?lang=<?=$LANG_TYPE?>" method="post" 

input type="hidden" name="first_name" value="<?=$_SESSION['first_name']?>"

//use the session variables to post to the next form

payment.php

$_SESSION["CREDIT_CARD_TRANS"]="YES"; This is validated later on to make sure you are actually making a transaction, in my new attempt I created this variable in pre_payment

$last_name=$_POST["last_name"]; Get the post in to variables (necessary? dont we have the session ones already?)

<form name="frmMain" action="credit_card_pay.php?lang=<?=$LANG_TYPE?>" method="post" onSubmit="return validatePayment();">

 <input type="hidden" name="last_name" value="<?=$last_name?>" />

Variables sent to the next file

credit_card_pay.php

<input type="hidden" name="vpc_LirtsName" value="<?=$last_name?>" /> this variable last_name is not declared anywhere in the code, I dont know how, why or if its even using it

<form name="frm_main" action="com_web_process.php" method="post"  onsubmit=" return credit_card_validation();">

<input type="hidden" name="reciept_last_name" value="<?=$_POST["reciept_first_name"]?>" /> posting customer information to the next file

com_web_process.php.

$_SESSION["CC_FIRST_NAME"]=$_POST["reciept_first_name"]; posting customer info to session variables

<form name="frmMain" action="./PHP_VPC_3Party_DO.php" method="post">

<input type="hidden" name="vpc_ReturnURL" size="63" value="http://www.visaustralia.com/ekey/credit_card_process.php" maxlength="250"/>

<input type="hidden" name="vpc_Amount" value="<?=$_POST["vpc_Amount"]?>" size="20" maxlength="10"/> sending info to the bank file in our server that connects and sends the information to the bank.

credit_card_process.php

$NAME=$_SESSION["CC_NAME"];

<td width="421" class="formLabel2" style="padding:5px;"><strong><?=$NAME?></strong>

gets the name from the session and prints it in the receipt

user3192802
  • 3
  • 4
  • 1
    by default php sessions last 15 minutes, or as long as the browser is open, so as long as your pages call `session_start()` at the top of the pages and they complete the transactions on the other servers and come back to yours within the 15 minutes the same session should be active. And if they are a logged in user their session could be longer/shorter depending on your system deals with logged in users sessions, ie Remember Me features. – Patrick Evans Feb 12 '14 at 02:38
  • @PatrickEvans: FYI, the answers in [this post](http://stackoverflow.com/q/9904105/259457) claim that the default session timeout is either 20 or 24 minutes. – Travesty3 Feb 12 '14 at 02:42
  • @Travesty3, yea, I havent messed with the default settings for session timing in awhile, just knew it was around there. – Patrick Evans Feb 12 '14 at 02:43
  • Session time is not an iss,e I'm doing the testing in less than 2-3 minutes so I dont think thats the issue, but the values are still getting lost for some reason (AFTER I remove steps 2-4 and try to go directly to 5) – user3192802 Feb 12 '14 at 02:57
  • When I started tracking the cookies with firebug it just randomly worked (Maybe I had my cookies disabled or something? Tho I didnt make any changes except tracking cookies with firebug) Tho I'm not sure why its creating 3 sessions: http://i.imgur.com/TXVVGNx.png thats when the process starts and this one when it ends: http://i.imgur.com/9u0xeEf.png The session disappears in the middle of the process when we are in the bank API, but I understand thats normal – user3192802 Feb 12 '14 at 03:30

1 Answers1

0

1) Yes, the session stays alive by setting a cookie which has the session id. PHP looks up the session and starts the session when you do session_start, usually near the start of your page. I'd recommend naming the session, see session_name(). You probably want to start the session at your step 1.

When the bank sends a redirect to the user's browser and they come back to your server the browser sends the session cookie, allowing php to resume the session and recognize the user.

2) If you've lost the session when they come back, make sure the cookie's URL that's set matches the URL they're redirected to, same domain, www, etc. Not likely but make sure the cookie is set with a long enough expiration (or none). Check the cookie either logging in php or using Firefox/Firebug etc. If the cookie value is different when they return you know you've not restarted the same session but created a new empty session.

troseman
  • 1,842
  • 20
  • 19
  • I didnt know you could check cookies and sessions with firebug! Let me test it and I'll post any comments about it... – user3192802 Feb 12 '14 at 02:57
  • When I started tracking the cookies with firebug it just randomly worked (Maybe I had my cookies disabled or something? Tho I didnt make any changes except tracking cookies with firebug) Tho I'm not sure why its creating 3 sessions: http://i.imgur.com/TXVVGNx.png thats when the process starts and this one when it ends: http://i.imgur.com/9u0xeEf.png The session disappears in the middle of the process when we are in the bank API, but I understand thats normal – user3192802 Feb 12 '14 at 03:29
  • Ah, see you have two PHPSESSID cookies, one with www and one without? That's the problem. Is the bank passing PHPSESSID in the URL? How are you starting the sessions? You might want to explicitly pass the domain to the cookie (http://www.php.net/manual/en/function.session-set-cookie-params.php) to make sure it's the same every time. – troseman Feb 12 '14 at 03:37
  • Be sure and delete PHPSESSID cookies *every* time you test this since you want to make sure they're created correctly. (in cookies tab in FF, right click to delete) – troseman Feb 12 '14 at 03:43
  • The only thing I'm doing to create session is: ` session_start(); error_reporting(E_ALL & ~E_NOTICE); $_SESSION["CREDIT_CARD_TRANS"]="YES"; ?>` I just loaded it again and it only shows one PHPSESSID (Which I'm guessing is the session?) that other one might have been remnants of other testing – user3192802 Feb 12 '14 at 04:00
  • Sorry no! I only have 1 session when the process starts, but when I go to the receipt I have both sessions....in the second step I have: session_start(); include("includes/inc_config.php"); $_SESSION["CC_NAME"]=$_POST["vpc_CardHolderName"]; $_SESSION["CC_EMAIL"]=$_POST["cc_email"]; Should this be like that? – user3192802 Feb 12 '14 at 04:19
  • I think I got it from here, I'll google and investigate how to create sessions with individual names and such. or I'll force the involved pages to display www. at the beginning. Thanks a lot! Awesome comments and suggestions! I'd also vote your reply as useful but I dont have enough points X) – user3192802 Feb 12 '14 at 04:25
  • Only 1 more question tho (if you can, if not its okay too) Going trough the process with www. in all the webpages got rid of that second PHPSESSID, but I also have one called "6542671c4b238c0909b6ebd825182f0f" from the mainsite. Could that trigger the same issue? Or only the ones called PHPSESSID? – user3192802 Feb 12 '14 at 04:29
  • Only the ones named PHPSESSID or your own session name matter to you. I don't know what the other one is. Google Analytics makes a cookie. But the only session you see in your PHP code is the one you start. You can set session name first, then start the session and that's the one you'll see. Try deleting the other one and see which page creates it. Perhaps javascript? – troseman Feb 12 '14 at 05:17
  • Just one other thing, on this: $_SESSION["CC_NAME"]=$_POST["vpc_CardHolderName"]; Be *VERY* careful with this. You should always sanitize any POST variables beore using. – troseman Feb 12 '14 at 05:21