Reputation: 580
Session lost after redirection from payments provider
Some of our customers are experiencing a strange situation in which they loose their session data. This always happen after a redirect from our payments privider ogone. The flow is a following:
- The user is completing it's order
- The user decides to pay through ogone.
- Afterwards the user is redirected to the application's payment success / error handler.
While debugging this issue, I found out that the session data is lost when the user is redirected from ogone to the application. This happens only once on x amount of requests. So when I test the code in any possible browser, it appears to work just fine. I did not manage to find a link between failed payments and browser / payment method / ....
This is my session configuration:
'session.name' => 'PHPSESSID',
'session.save_path' => '/var/www/app/data/session'
'session.gc_probability' => 1,
'session.gc_divisor' => 100,
'session.gc_maxlifetime' => 5400, // 90 min.
'session.cookie_lifetime' => 0,
'session.bug_compat_warn' => 'off'
The session ID is also being passed by query parameters in the URL. This ID is available in the page ogone redirects to.
Is there someone that can help me out with this painfull issue?
Upvotes: 1
Views: 5818
Answers (1)
Reputation: 3319
Session ID passed in query parameter is weak to Session Fixation.
What you can do is store the session data in your database, say in some table T at row i; Then store the value i in a cookie. When a user is back on the site, retrieve i from the cookie, then load the session data from the database.
// Store the data in the database, in whatever form you choose
$id = last_insert_id(); // Get the ID of the row in which this information is stored
// Store the id in a cookie
setcookie("session_data_row_id", $id, time() + 3600 * 24); /* expire in 1 day */
Now you retrieve the data from the database back into session when needed
// Get the row id from the cookie
$id = $_COOKIE['session_data_row_id'];
// Use this ID and retrieve the data from the database
Why web storage instead of cookies to store all data?
- It's not wise to store sensitive data in cookies since an XSS attack can get all cookies
- Cookies give you a limit of 4096 bytes per domain
More Resources:
- http://davidwalsh.name/php-cookies
- https://www.php.net/setcookie
- Local Storage vs Cookies
- Keep $_SESSION alive with autorenewing counter
Upvotes: 1
Related Questions
- User session is lost on redirect back from payment gateway
- Session lost after a page redirect in PHP
- CodeIgniter session is lost after redirecting from payment gateway
- PHP session is automatically gets destroyed after payu payment gateway redirect
- PHP - Losing session after paypal redirect
- php session lost after redirect - tried all things from google and stackoverflow
- PHP Losing Session Data After a Redirect
- Losing session variables after redirect
- Session value gets deleted after redircing with payment gateway?
- PHP Session lost after redirecting