Jump to content

Users getting logged out after redirecting back from payment gateway


Vineet Sawant
 Share

Recommended Posts

Hello,

I've this ticket booking website where people buy tickets for dramas.

I'm using default user management system of PW to manage user and user sessions.

I've a similar problem like this one : http://processwire.com/talk/topic/4986-session-gets-lost/

I've noticed that many users are getting logged out when they are redirected back to the site after payment. Since I'm using temporary pages stored for each user when they make a purchase, system can not identify the transaction and thus seats remain on hold even when the user has paid for it already.

What I wish to know is, is there any way we can prevent users from getting logged out? probably by extending the session timeout?

Also, how proper it'd be to maintain cookies of purchases like I could write a cookie of user's ID including the show & seat details. If user is logged out when redirected back, I could use his/her ID to automatically log user in and successfully complete the transaction.

Does this idea sound okay to you? Is there anything else I should be considering?

Thanks in advance, really appreciate your support.

  • Like 1
Link to comment
Share on other sites

Hello everyone,

I was looking for solution to my problem, I ended up setting a cookie of user id and transaction ID which is unique. If user comes back and is logged out, I can at least transfer seats to user's account based on his ID and payment status.

 

But it'd be awesome if I could log user back in using user id. I read some articles of similar requirement but even after turning $config->sessionChallenge to false,

 

//goes in pre-payment page
if ($user->isLoggedin()) {
	setcookie('uid',$user->id);
}

//goes in payment response page
$u = $users->get("id='{$input->cookie->uid}'");

$users->setCurrentUser($u); 
$session->_user_id = $user->id;
 

is not working for me. Can anyone help me understand what am I doing wrong?

thanks, have a great day!

Edited by Vineet Sawant
Link to comment
Share on other sites

 

is not working for me. Can anyone help me understand what am I doing wrong?

thanks, have a great day!

What "is not working" ? That means?

It works for me fine if you mean the setCurrentUser(User).

Only thing I can say is make sure you're having a user actually there with $u. If not, id='42' looks wrong to me and should be id=42

Link to comment
Share on other sites

Hello Soma, thanks for your reply.

What "is not working" ? That means?

I meant the above written code is not working for me even after turning $config->sessionChallenge to false.

I did try without it this way, id=5446, but still it's not working for me. Also, 5446 is a valid user that does exist.

Btw, just to make sure I'm expecting the right thing from this code, what I want is, user 5446 or whatever ID the cookie holds, should get logged in automatically.

That's what this code does, right?

Link to comment
Share on other sites

Oh, well then I guess this is not the solution to my problem.

I want to log users in.

But again, this also does not answer original question, why users are getting logged out in first place and how can I prevent that?

I read somewhere in forum that it's cause of dynamic IP sessions are getting lost but even I've dynamic and have never lost sessions.

Link to comment
Share on other sites

You can't login user, as you don't know the password.

setCurrentUser does not login but set the current user, so if you do that for every request it's like he's logged in.

To you original question I have no idea. Not something usual.

  • Like 1
Link to comment
Share on other sites

Have you set: 

$config->sessionFingerprint = false; 

in your config.php ?

Yes, it's the first thing I did and was hoping that it'd solve the issue.

Are there any other config variables that should be turned off or on in order to keep users logged in longer? 

Should I increase the timeout time for session?

Link to comment
Share on other sites

*UPDATE*

So, I just had to implement a solution so I ended up using cookies.

  • There are two cookies created for every user, when user reaches payment page, his/her user ID & transaction number are stored.
  • Every time when user is redirected back to site, if he/she is logged out, using transaction ID returned by payment gateway, I identify user by comparing the stored transaction ID and get user id stored with it.
  • Once I've user ID, I complete the post successful payment procedure to make sure user gets what he paid for.

Updated it here so it might help someone in future and also, experts here can tell me if this solution is safe enough. 

Thanks & Have a great day.

  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...

Another *UPDATE*

Hey everyone,

So just wanted to give an update to whoever is following this post & probably reading right now.

So I did implement cookies based solution and now, after about two weeks,  it's doing great job I must say. 7 out of 10 transactions are being handled by this solution and people are getting their tickets even after getting logged out in the payment gateway's redirect process.

While there's nothing to complain about all this, but still some questions remain unanswered as

  1. Why are they getting logged out in the first place?
  2. Sessions are stored on server and fingerprinting technique is used along with user's IP to identify the session for each user, right? Then change in which parameter can lead to session loss?
  3. Probably dynamic IPs are causing the problem, so can we just turn off the fingerprinting, in that case, will sessions still work?

I was also wondering if no one else has faced similar situation before? (If I've found this bug then let me name it :P) I mean there must be many ecommerce websites built with ProcessWire right?

Would love to hear what you guys think about this. Thanks for your time, have a great day.

Link to comment
Share on other sites

I have no idea why users are getting logged out in your case, but a few things I would look at:

1. How long was the user logged in at your site? Make sure they have completed at least one full page request as a logged in user before you redirect them elsewhere. You can accomplish this by redirecting to a local page first before redirecting to another site. 

2. What URL does your payment gateway return them to? If the user started out on an http URL and returned on an https URL (or the reverse), that might be something to look at. What sort of switching between http and https does your site perform?

3. Is the user returning to the exact same hostname? i.e. www.domain.com and not domain.com ?

  • Like 1
Link to comment
Share on other sites

@Ryan, You are the man Ryan, I can't thank you enough. I checked redirection settings and it was indeed redirecting back to http not https as it should have. I've fixed that now let's see if it works, I don't see any reason for it to fail now. Once again, thanks a ton, I feel so foolish now!!!

Link to comment
Share on other sites

Users still getting logged out? Just as a test, what happens if you open another window along the way, whether hitting the payment gateway URL with a target=_blank, or what not. Just curious if that keeps the session active.

Link to comment
Share on other sites

Hey Ryan,

Will try that & update you. Just wanted to know if having debug mode on will provide any important information which might provide some clue?

Also do you think such problem can happen due to multiple users being online at once and server not being able to maintain sessions? We already have over 7k users registered.

Link to comment
Share on other sites

  • 7 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...