PHP - Losing session after paypal redirect

Question

I'm creating a web game with a login page. This takes the user through to Paypal if they want to convert to a 'pro' version of the game.

The problem I'm having is that the session seems to be breaking on return from Paypal to my payment_successful.php page. The session variables are all empty.

I began by giving all appropriate pages a session_start() line. The session ID (taken from the console in Chrome) is the same for when the session starts, and returning back to payment_successful.php. So this "appears" to be constant.

After a lot of tinkering with different ideas, I tried manually adding in a session id.

Both the Login Page and Payment_successful page:

session_id('my_id');
session_start();

This works like a charm and returns all of my session variables perfectly. However, I'm guessing that it's an incredibly bad idea to have a fixed session id (sorry, I forgot to mention I'm new to all of this).

So I changed the Login Page to create my own session id, hoping that it would simply just take the new value in place of the fixed value:

Login Page

add_seshid();  
session_start();  
// session_set_cookie_params (lifetime,'/','.mydomain.com',false);

function add_seshid() {  
    $sesh_salt1 = "*s!$e";  
    $sesh_salt2 = "$6#£";  
    $sesh_date = date("mYhds");  
    $sesh_pass = "lambchops".$sesh_date;  
    $sesh_token = hash('ripemd128',"$sesh_salt1$sesh_pass$sesh_salt2");  
    session_id($sesh_token);  
}

Payment_successful Page:

session_id($sesh_token);
session_start();

Although it does output a session id (eg. 986a25f1d1fdabc62837def39b485c6), and spans it right across the session, it too doesn't return any session variables. The session_set_cookie_params line I tinkered with, using my own domain name, to see if there was a problem with the domain name changing, but this has not made any difference. Also, all passwords, salts, etc., have been changed for the purposes of this post in case anyone was itching to comment!!

Hoping someone could point me in the right direction.

Many thanks,
Dan.

Answer 1

Add the same problem, really annoying because the redirection from Stripe payment was not making me loose the user session and the paypal was! I had to remove this option from the paypal FORM not to loose the user session:

<input type="hidden" name="rm" value="2">

Really crazy that this option was making me loose the user session!

I still have the auto redirection after the payment.

Answer 2

Let's say there is http://sitea/landing.php which is your site page. This should start with

session_start();

And when you access this page - if you activate developer toolbar in your browser - you should see your PHPSESSID

Now let's say somewhere there is a link to paypal

echo '<a href="http://paypal.com">Go to paypal</a><br>';

And after you complete purchase and get redirected from paypal to your success page - do you see same PHPSESSID in the browser?
Your success page should also start with

 session_start();

After which your session vars should be available via $_SESSION['varname']

Edit 1:

Did you try to test on 2 simple VMs?
Spin off 2 VMs.
One will represent your website (let's call it SiteA) and another will represent your paypal (Let's call it SiteB).
On SiteA create following test code

cat -n FormData.html
 1  <!DOCTYPE html>
 2  <html>
 3  <body>
 4  
 5  <form action="session_start.php" method="post">
 6    First name:<br>
 7    <input type="text" name="firstname" value="Mickey">
 8    <br>
 9    Last name:<br>
10    <input type="text" name="lastname" value="Mouse">
11    <br><br>
12    <input type="submit" value="Submit">
13  </form>
14  
15  <p>If you click the "Submit" button, the form-data will be sent to a page called "action_page.php".</p>
16  
17  </body>
18  </html>

cat -n session_start.php
 1  <?php
 2  session_start();
 3  echo "Hello World!<br>";
 4  echo "Received First Name as " . $_POST['firstname'] . "<br>";
 5  echo "Received Last Name as " . $_POST['lastname'] . "<br>";
 6  $_SESSION['firstname']=$_POST['firstname'];
 7  $_SESSION['lastname']=$_POST['lastname'];
 8  echo '<a href="display_session_data.php">Display session data</a><br>';
 9  echo '<a href="http://192.168.0.43/paypal.php">Go to paypal</a><br>';
10  ?>
11  

 cat -n display_session_data.php
 1  <?php
 2  session_start();
 3  echo "First Name is $_SESSION[firstname] <br>";
 4  echo "Last Name is  $_SESSION[lastname] <br>";
 5  ?>

On Site B create a single page

cat -n paypal.php 
 1  <?php
 2  echo '<a href="http://192.168.0.42/display_session_data.php">Go back to game site</a>';
 3  ?>

See if this works for you. It should.
Then if this works - replace SiteB link with your paypal link.
Test.
Basically try to go in iterations doing small verifiable steps and make sure that they work as you expect. This way the moment something breaks you know exactly what you changed and where to look for a problem.