[Deansatch]

I am using paypal ipn to activate a script. The script relies on values set in sessions.

So:

• User starts a session by adding items to cart on my website.
• the items are stored in sessions and session arrays.
  
• the user then goes to the checkout and is redirected to paypal.
• Without ipn, the user would be redirected to my complete page and run the activation script from there which would work fine and does.

• However, with ipn, the user submits the payment on paypal and then:
• paypal posts info to my verify script
• my verify script posts back to paypal
• paypal runs my script assuming it verified it, but the session variables will be empty since the session cookies were stored on the users computer.

paypal then directs user back to complete page where no script is supposed to run.

End result: user pays for service and nothing is received.

In a nutshell, how can I get paypal to get the session contents without using a database?

[End User]

Generally if they're coming back to your page within any reasonable amount of time the session should still be viable regardless of where they've gone in the interim. Are you positive you're starting a session, or restarting it when they return?

[Vicious]

When posting to Paypal, can you send any variable you wish? Like:

html Code:

<input type="hidden" name="mommy" value="My mommy is Vivian" />

And then Paypal returns that value?

If it is the case, you could send your session ID to Paypal, and when the session ID is returned, you can load that session.

[Deansatch]

The problem is, the session stores the cart items in cookies on users pc.

Paypal runs the ipn verifications script which has to access the session cookies which populate a database with the cart items but paypal will not have access to the cookies since this all happens between my sites server and paypal, omitting the user.

By the time it gets back to the user, they will see the complete page with all the cart items listed as if everything worked.

Or are the items in the session stored on my server and just a session id in the users cookie?

If so, sending the session ID to paypal might work if I can recall the session in the verify script.

How do I get the session id and then set it as the session again later on?

Sorry for the quality of the picture:

1. User adds items to cart stored in session arrays and clicks on "buy"
2. User directed to paypal where they click on "pay now"
3. User waits whilst paypal secretly contacts my server for verification and gets it and asks my server to run my verify script.
4. my script runs using the values from the stored session variables and populates the database and sends emails etc... and hands the reigns back over to paypal
5. paypal redirects the user to my server for summary of order

Because steps 3 and 4 are between paypal and my server, whatever is stored in the users session on their pc is not accessed. Hence, empty session variables when trying to populate my database.

I hope this and my drawing make things a bit clearer

ok. Sorry for all the questions. I have it sorted and working.

set custom field to post to paypal as session_id()

then added :

PHP Code:

session_id($_POST['custom']);

session_start(); 

at start of verify ipn file.

Let me know if there are any security issues with my methods though please.

thanks

[Vicious]

Well I don't think so. That was my proposal, and I'm glad it worked for you.

I would however choose anothe approach:

1. user buys item -> it goes in a temporary table, with a unique ID
2. payment is done via Paypal, set the unique ID from step 1 in the custom field
3. payment is being verified
4. if payment is verified, get the item from the temporary table via that unique ID you get back in $_POST["custom"]
5. store the item in the final table, and remove the item from the temporary table

That way you don't have to mess around with session stuff.

[Deansatch]

I wish I had done it that way but it will take a lot of work to change it now.

Thanks for all your help

[Deansatch]

This is sort of a new problem but directly related to this post so I will stick it on here instead of creating a new thread.

PROBLEM: I can't seem to totally get rid of the session data.

My script takes an order, flies off to paypal and uses the session id to run my script and then comes back to my site where it is told to session_destroy()

The user can then go and place another order and instead of entering their details, they can log in and add their order to their account. That part works fine, however, when they receive their order confirmation email with the imploded shopping cart session, it has the old order on it aswell.

Is there some way to totally erase all session variables, session and session id?

[Jay6390]

Hi deansatch. If you go to the session_destroy() function on php.net it also tells you that you need to delete the cookie as well to completely remove the session. Heres the code from the page

PHP Code:

  <?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>

Hope thats of some help

Jay

[Deansatch]

Thanks

I tried that but it didn't work.

Will the cookie be stored on my pc, the web server or paypals server?

[Deansatch]

I have just checked, and it is sending a totally different session id to paypal for each order. If it is a different session, how come my session still implodes to show old variables?