$session gets lost?

[Eltom]

Hi all,

that's rather strange. It worked for some days but today it's broken and I don't know why.

I'm implementing an user registration process where you have to pay some amount to earn a membership for a month.

First you enter all your data (Street, Names, Username, Password...), this will be stored, and then you'll be directed to Paypal to pay the amount. Then a redirect happens to my page and a flag "payed" will be stored, too.

To detect the right user, I created a $session->userdata = $input->post->getArray(); after the first post. This could be anything different, the point is: $session->userdata gets lost after the redirect from Paypal. It worked quite a while, but today it's broken.

Is there a way to make $session permanent for, let's say, one day or so?

Regards,

Thomas

[adrian]

Hi Eltom,

I am not really sure why this worked for you before - maybe I am misunderstanding exactly what is happening.

Sessions last until the browser is closed or the user leaves the site (ie a redirect back from Paypal). You'll need to use cookies or you could save the data in PW pages. I haven't ever used PayPal, but I assume they return some transaction number along with some identifier that you also sent them initially, which can be used to identify the purchase. 

Take a look at these links:

http://cheatsheet.processwire.com/input/properties-and-methods/input-cookie/

http://davidwalsh.name/php-cookies

http://www.thesitewizard.com/php/set-cookies.shtml

You can also set and get cookies with javascript/jquery. This is a great little jquery plugin for making this simple as possible:

https://github.com/carhartl/jquery-cookie

Hope that helps.

[DaveP]

Aaahh, the joys of Paypal's IPN... 

[Wanze]

To detect the right user, I created a $session->userdata = $input->post->getArray();

This is very dangerous from a security point of view. Never store information coming from the user directly in the session without sanitizing and validating first.

Plus, only store necessary informations, for example the e-mail or user-ID. Example: A bad guy can now alter the post data and include 10'000'000'000 new variables which you try to store in a file on the server. Maybe your server crashes

Do you use ProcessWire users for the registrated users? I don't understand why you need to store stuff from a post request into the session. I mean, after the registration your system somehow needs to be able to log in users. And if a user is logged in without the "payed" flag, you show the link to PayPal. But in this

case you already have a valid session for the user...?

Sessions last until the browser is closed or the user leaves the site

The first is true, because "normally" cookies get deleted by clearing the browser. But when leaving a page or closing the tab, the session remains. How long a session is valid, is defined in your php.ini.

[adrian]

Sorry for the session misinformation - I really wasn't thinking clearly apparently

The php.ini setting you are looking for is: session.gc_maxlifetime setting.

Definitely worth doing a: https://www.google.com.au/search?q=php+session+vs+cookie because there are lots of interesting difference and similarities between sessions and cookies that apparently can be confusing, although it really is quite simple

[Eltom]

@Wanze: Thanks for your remarks. That's totally true and I'll change things a little bit. I created the user without a login: Just a plain $u = new User(); ...

@adrian: Thanks for alle your remarks. I'll dig into your links and maybe I'll change some things. It's totally confusing, because it worked last week. 

[Eltom]

@adrian: It works, when I log in the user right after I created him.