Jump to content
Vineet Sawant

Users getting logged out after redirecting back from payment gateway

Recommended Posts

Hello,

I've this ticket booking website where people buy tickets for dramas.

I'm using default user management system of PW to manage user and user sessions.

I've a similar problem like this one : http://processwire.com/talk/topic/4986-session-gets-lost/

I've noticed that many users are getting logged out when they are redirected back to the site after payment. Since I'm using temporary pages stored for each user when they make a purchase, system can not identify the transaction and thus seats remain on hold even when the user has paid for it already.

What I wish to know is, is there any way we can prevent users from getting logged out? probably by extending the session timeout?

Also, how proper it'd be to maintain cookies of purchases like I could write a cookie of user's ID including the show & seat details. If user is logged out when redirected back, I could use his/her ID to automatically log user in and successfully complete the transaction.

Does this idea sound okay to you? Is there anything else I should be considering?

Thanks in advance, really appreciate your support.

  • Like 1

Share this post


Link to post
Share on other sites

Hello everyone,

I was looking for solution to my problem, I ended up setting a cookie of user id and transaction ID which is unique. If user comes back and is logged out, I can at least transfer seats to user's account based on his ID and payment status.

 

But it'd be awesome if I could log user back in using user id. I read some articles of similar requirement but even after turning $config->sessionChallenge to false,

 

//goes in pre-payment page
if ($user->isLoggedin()) {
	setcookie('uid',$user->id);
}

//goes in payment response page
$u = $users->get("id='{$input->cookie->uid}'");

$users->setCurrentUser($u); 
$session->_user_id = $user->id;
 

is not working for me. Can anyone help me understand what am I doing wrong?

thanks, have a great day!

Edited by Vineet Sawant

Share this post


Link to post
Share on other sites
 

is not working for me. Can anyone help me understand what am I doing wrong?

thanks, have a great day!

What "is not working" ? That means?

It works for me fine if you mean the setCurrentUser(User).

Only thing I can say is make sure you're having a user actually there with $u. If not, id='42' looks wrong to me and should be id=42

Share this post


Link to post
Share on other sites

Hello Soma, thanks for your reply.

What "is not working" ? That means?

I meant the above written code is not working for me even after turning $config->sessionChallenge to false.

I did try without it this way, id=5446, but still it's not working for me. Also, 5446 is a valid user that does exist.

Btw, just to make sure I'm expecting the right thing from this code, what I want is, user 5446 or whatever ID the cookie holds, should get logged in automatically.

That's what this code does, right?

Share this post


Link to post
Share on other sites

What do you expect? :P

Well it does only set the current user for this request and not log in.

Share this post


Link to post
Share on other sites

Oh, well then I guess this is not the solution to my problem.

I want to log users in.

But again, this also does not answer original question, why users are getting logged out in first place and how can I prevent that?

I read somewhere in forum that it's cause of dynamic IP sessions are getting lost but even I've dynamic and have never lost sessions.

Share this post


Link to post
Share on other sites

You can't login user, as you don't know the password.

setCurrentUser does not login but set the current user, so if you do that for every request it's like he's logged in.

To you original question I have no idea. Not something usual.

  • Like 1

Share this post


Link to post
Share on other sites

Have you set: 

$config->sessionFingerprint = false; 

in your config.php ?

Share this post


Link to post
Share on other sites

Have you set: 

$config->sessionFingerprint = false; 

in your config.php ?

Yes, it's the first thing I did and was hoping that it'd solve the issue.

Are there any other config variables that should be turned off or on in order to keep users logged in longer? 

Should I increase the timeout time for session?

Share this post


Link to post
Share on other sites

*UPDATE*

So, I just had to implement a solution so I ended up using cookies.

  • There are two cookies created for every user, when user reaches payment page, his/her user ID & transaction number are stored.
  • Every time when user is redirected back to site, if he/she is logged out, using transaction ID returned by payment gateway, I identify user by comparing the stored transaction ID and get user id stored with it.
  • Once I've user ID, I complete the post successful payment procedure to make sure user gets what he paid for.

Updated it here so it might help someone in future and also, experts here can tell me if this solution is safe enough. 

Thanks & Have a great day.

  • Like 1

Share this post


Link to post
Share on other sites

Another *UPDATE*

Hey everyone,

So just wanted to give an update to whoever is following this post & probably reading right now.

So I did implement cookies based solution and now, after about two weeks,  it's doing great job I must say. 7 out of 10 transactions are being handled by this solution and people are getting their tickets even after getting logged out in the payment gateway's redirect process.

While there's nothing to complain about all this, but still some questions remain unanswered as

  1. Why are they getting logged out in the first place?
  2. Sessions are stored on server and fingerprinting technique is used along with user's IP to identify the session for each user, right? Then change in which parameter can lead to session loss?
  3. Probably dynamic IPs are causing the problem, so can we just turn off the fingerprinting, in that case, will sessions still work?

I was also wondering if no one else has faced similar situation before? (If I've found this bug then let me name it :P) I mean there must be many ecommerce websites built with ProcessWire right?

Would love to hear what you guys think about this. Thanks for your time, have a great day.

Share this post


Link to post
Share on other sites

I have no idea why users are getting logged out in your case, but a few things I would look at:

1. How long was the user logged in at your site? Make sure they have completed at least one full page request as a logged in user before you redirect them elsewhere. You can accomplish this by redirecting to a local page first before redirecting to another site. 

2. What URL does your payment gateway return them to? If the user started out on an http URL and returned on an https URL (or the reverse), that might be something to look at. What sort of switching between http and https does your site perform?

3. Is the user returning to the exact same hostname? i.e. www.domain.com and not domain.com ?

  • Like 1

Share this post


Link to post
Share on other sites

@Ryan, You are the man Ryan, I can't thank you enough. I checked redirection settings and it was indeed redirecting back to http not https as it should have. I've fixed that now let's see if it works, I don't see any reason for it to fail now. Once again, thanks a ton, I feel so foolish now!!!

Share this post


Link to post
Share on other sites

Users still getting logged out? Just as a test, what happens if you open another window along the way, whether hitting the payment gateway URL with a target=_blank, or what not. Just curious if that keeps the session active.

Share this post


Link to post
Share on other sites

Hey Ryan,

Will try that & update you. Just wanted to know if having debug mode on will provide any important information which might provide some clue?

Also do you think such problem can happen due to multiple users being online at once and server not being able to maintain sessions? We already have over 7k users registered.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By modifiedcontent
      I have 100+ spam/Russian user accounts on a semi-test site. Is deleting them one by one the only option? Is there no way to select a whole page of spam user accounts and batch delete them?
    • By Sergio
      Did someone try to use Auth0 for social and/or passwordless login in PW?
      And is there somebody interested in porting their Wordpress plugin (that looks awesome) to ProcessWire?
      https://wordpress.org/plugins/auth0/
      I have not the resources right now but I can help testing it.
      This is how their plugin works:
      Regular flow
      There are three different scenarios that could take place.
      First, a user that not exists in WordPress and it does in your Auth0 account try to log in.
      A user access your site's login page. (s)he completes his credentials (it could be an existing user in your Auth0 account or a new signup). Auth0 will authenticate the user The plugin gets the user profile. The plugin check if there is a user in the WordPress database with his/her Auth0 user_id. It can't find any, so it will check if there is a user with the same email. It can't find ant, so it will create a new user and log him/her in. Second, a user that exists in WordPress (this user was created before you installed the plugin) and in your Auth0 account try to log in.
      A user access your site's login page. (s)he completes his credentials (it could be an existing user in your Auth0 account or a new signup). Auth0 will authenticate the user The plugin gets the user profile. The plugin check if there is a user in the WordPress database with his/her Auth0 user_id. It can't find any, so it will check if there is a user with the same email. There is a user with the same email. It checks if the Auth0 user has verified the email. If the user has not verified the email, the process end here with an error message If the email was verified, it will update the user with the Auth0 user_id and log the user in. Third, a user that exists in WordPress (this user was created in the scenario one, or updated in the scenario two) and in your Auth0 account try to log in.
      A user access your site's login page. (s)he completes his credentials (it could be an existing user in your Auth0 account or a new signup). Auth0 will authenticate the user The plugin gets the user profile. The plugin check if there is a user in the WordPress database with his/her Auth0 user_id. It finds the user, and logs him in. Data migration
      When data migration is enabled, the plugin will expose two secure endpoint to let Auth0 authenticate the users.
      This endpoints are secured with a secret token and only available to the Auth0 IPs. You can change this in the plugin advanced settings.
      The login flow is the following:
      A user access your site's login page. He has an account in your wordpress site so (s)he proceds to login using this credentials. Auth0 can't find a user with this credentials in your account, so proceds to call your migration endpoint. The plugin find a user with the same username/email and verifies the password. Auth0 creates the user in your account and authenticate the user successfully.
    • By dowmedia
      Hello,
      In my web app I am needed an event calender separate for each registered user of the site. I used Luxicul calender.
      Every thing is working fine except the auto sign in into calendar when user sign in into site.
      I have installed the calender in site folder. and then as per there documentation.
      <?php $session->lcUser = $caluser; ?> //$caluser is the email of user <iframe id="lcmini" src="<?php echo $config->urls->site ;?>/luxcal/lcmini.php"></iframe> I have write this code users.php template(Into template folder ).In above code I have put user->email in to session variable. thats all I got in there documentation.After debugging I found that  my session variable is not passing into the page of Iframe. so it is not sign in automatically .
      Any help is much appreciated.
      Thanks In advance
      Syed Furquan
    • By laufi
      Hello!
      I'm quite new to Processwire. Currently I'm selling my first Processwire based site to a customer. She is thrown out of the admin interface often. The session logs,which are attached, are showing that her IP changes to 0.0.0.0 periodically. She is using Mac OS X Lion with the bundled Safari. How can I work out the issue?
      Thanks for your help
      laufi

    • By Vineet Sawant
      Hi,
      I'm working on a simple Ionic app which is going to use ProcessWire as the backend.
      This app allows people to upload images and then like/comment on them. It's a lot like a stripped down imgur app.
      I've set up some basic services such as register, login & reset password.
      There are a couple of things I am doubtful about.
      1. How do I get user's unique session Id once he's successfully authenticated through AngularJS's http post request?
      I'm currently using following code:
      $sessions = $session->getAll(); $session_id = $session->_user["fingerprint"]; But I'm not sure if that's the right way to do it. I'm not even sure if that's the session id. I know there's something called SessionCSRF["name"], I tried that.
      I'm sending session_id as response to http post request. Then I'm using that session id to check if user is authenticated for his/her further actions such as commenting/liking/posting etc.
      2. Now that I've got the session id, how do I identify the user based on the given session id? or should I send user ID back to PW everytime user is performing any action?
      Is it possible to identify user just based on the session fingerprint that I'm giving back to the app?
      Among other things I'm considering are keeping a device id on the server for each user, so as to gain better control over user's sessions.
      I can log out all the devices linked at once etc. 
      I'd really love to hear from you guys how you'd plan to do this app. I'm experienced with PW but not very much with AngularJS.
      Thank you.
×
×
  • Create New...