Sessions, and logging out

[rianquinn]

I have a site that uses sessions. Users can register with my site, and then login, and logout. They can choose a product, and add it to their cart.

 

Scenario: Suppose user A logs in, and adds an item to his/her cart. Then user A logs out. When User B logs in, and views his/her cart, he/she can see user A's cart contents.

 

This happens with multiple shopping carts including PayPal and E-Junkie. These all use cookies they are said to be tied to the session. How do you clear them out. I have tried a lot. Currently my logout code is

 

NOTE: This is straight from the php manual.

 

Has anyone gotten PHP working with regards to user logins and shopping carts?

 

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>

 

 

 

 

[MasterACE14]

that script is right. No problems there.

[rianquinn]

If this code is correct, why are the shopping carts not clearing out? I have posted this question to the PayPal forums and the guy said it is because there is no difference between users

 

http://www.pdncommunity.com/pdn/board/message?board.id=ppcart&thread.id=11266&view=by_date_ascending&page=1

 

I not sure if he's brushing me off, but he hasn't replied in two days now.

 

I don't like PayPal anyways so I decided to try e-junkie and I like it much better but I get the same exact problem.

[Ashoar]

You need to set the username of the people logging in as well as setting the cookie and it may work.

 

$username = $_SESSION['username'];

 

Where username would be the name of the username session you set when a user logs in.

 

Then every time a user does something or sets something, save it to the mysql table where the username row in the table = the username variable.

 

[PFMaBiSmAd]

he/she can see user A's cart contents.

Sessions are unique to each visitor. If an existing cart can be seen by a different visitor it means you have logic error or a design problem in your code and this has nothing to do with the basic functioning of sessions and it has nothing to do with your logout code.

 

How are your cart's stored and how do you relate that information to each visitor?

[rianquinn]

Is "username" a php thing, or was it just an example. Currently, the username is there email. The following is my login function

 

Keep in mind that everything is AJAX based.

 

<?php

/*	Session is started first because PHP requires it first */
session_start();

/*	If the session is still active, logout. */
if(session_is_registered('email')) {

	// Already logged in.
	echo "ALREADY_LOGGED_IN|" . $_SESSION['card_code'] . "|";

} else {

/*	Get the document root. */
	$ROOT = $_SERVER['DOCUMENT_ROOT'];

/*	Include the database class. */
	require_once $ROOT . '/assets/php/db.php';

/*	Define the database. */
	$db = new Database;

/*	Connect to the Database. */
	$result = $db->connect();

/*	Make sure the the connection was a success. Once a connection is made
	attempt to login the user. If the login fails, return the error, 
	otherwise return success. */
	if ($result == "SUCCESS") {

		$email 		= $_POST["email"];
		$password 	        = $_POST["password"];

		# If the email is '0', this is a loggin attempt from an init function.
		# This login attempt should be ignored.
		if ($email == "0") {

			// Done.
			echo "IGNORE";

		} else {

			# Login the user.
			echo login($db, $email, $password);
		}

	} else {

		# Return error.
		echo $result;
	}
}

/*	***********************************************************************  */

/*	The following function attempts to login the user.  */
function login() {

	# Get the function arguments.
	$db			= func_get_arg (0);
	$email		= strtolower(func_get_arg (1));
	$password	        = func_get_arg (2);

	# Get the user.
	$users = $db->user_select ($email, '', '', '*');

	# Make sure there where no errors.
	if (is_string ($users)) {

		# Report error.
		return $users;
	}

	# Convert the user query to an array.
	$user = mysql_fetch_array ($users, MYSQL_ASSOC);

	# Clean up memory
	mysql_free_result ($users);

	# Define a salt for the md5 encryption.
	$salt = <something>;

	# Veifry the password.
	if (md5 ($salt . $password) != $user['password']) {

		# Report error.
		return "ERROR_INVALID_PASSWORD";

	} else {

		# Login successful. Setup the session variables.
		$_SESSION['email'] = $email;
		$_SESSION['user_id'] = $user['id'];
		$_SESSION['card_code'] = $user['card_code'];

		# Done
		return "SUCCESS|" . $user['card_code'] . "|";
	}
}
?>

 

[mandred]

Because you are using COOKIES. Using the session_destroy function does not unset the COOKIES.

[MasterACE14]

Because you are using COOKIES. Using the session_destroy function does not unset the COOKIES.

 

yeah he's already got that...

<?php
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

[rianquinn]

he/she can see user A's cart contents.

Sessions are unique to each visitor. If an existing cart can be seen by a different visitor it means you have logic error or a design problem in your code and this has nothing to do with the basic functioning of sessions and it has nothing to do with your logout code.

 

How are your cart's stored and how do you relate that information to each visitor?

 

I did not make the cart, I'm using PayPal's shopping cart and E-Junkie. All I have to do is add the "Add to Cart" and "View" buttons. Also, keep in mind you cannot see other user's cart contents if your in a different browser or on a different computer. Its only if your in the same browser, and on the same machine.

[rianquinn]

Because you are using COOKIES. Using the session_destroy function does not unset the COOKIES.

 

Can you suggest a good way to unset the cookies

[laffin]

session_destroy(); session_regenerate_id();

[rianquinn]

session_destroy(); session_regenerate_id();

 

Just tried that and it didn't work

 

Thanks, though. Any other suggestions?

[laffin]

This is taken from php.net

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>

[rianquinn]

This is taken from php.net

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>

 

lol..... thats the exact code that I'm using (minus the session_regenerate_id you just suggested) and it doesn't seem to be working.

 

Is it even possible to have a shopping cart like e-junkie tied to a user account?

[Psycho]

If I'm not mistaken that code will only destroy the "session" cookie. You need to destroy all the cookies with that user. But, here's the thing - the whole point of a cookie is that your data can be saved on the client side. Why store any data in cookies if you want to destroy it between sessions - use session data.

 

But, let's assume you want the cookie data to be remembered IF the user logs in with the same credentials as the previous visit. After authentication save a cookie value for the username/userID/or some unique value. Then when user logs in check if there is a cookie for that value and if it matches the value of the user that just logged in.

 

If they are the same - do nothing - the user will retain their "cookie" cart from the previous visit. If they are not the same, then destroy all the previous cookie values.

 

foreach ($_COOKIE as $name => $value)
{
    setcookie($name, '', time()-1);
}

[laffin]

The code shud destroy the cookie and the session data.

But no matter wut code is being used, he sez it remains.

 

So Either he is using some 3rd party session management or something is really broke with his php.

 

I wud test the script on a local server (XAMPP/WAMP).

or another host (a freehost should work)

 

to test the script and the session management, if it works on another server. sumfin is broker with yer main providers php.

 

At this point ya have 2 options, Request an upgrade to php on the server, or go with a different provider.

 

if the same result happens, than its a script issue. this could be because the session manager is different (script implemented) rather than using the standard php session manager.

 

if this is the case, than its a lot more work, as u have to spot the differences between default and 3rd party, as it may not be compatible.

 

[rianquinn]

If I'm not mistaken that code will only destroy the "session" cookie. You need to destroy all the cookies with that user. But, here's the thing - the whole point of a cookie is that your data can be saved on the client side. Why store any data in cookies if you want to destroy it between sessions - use session data.

 

But, let's assume you want the cookie data to be remembered IF the user logs in with the same credentials as the previous visit. After authentication save a cookie value for the username/userID/or some unique value. Then when user logs in check if there is a cookie for that value and if it matches the value of the user that just logged in.

 

If they are the same - do nothing - the user will retain their "cookie" cart from the previous visit. If they are not the same, then destroy all the previous cookie values.

 

foreach ($_COOKIE as $name => $value)
{
    setcookie($name, '', time()-1);
}

 

I just tried this code and it also does not work. User B can still see user A's cart.

 

What's really frustrating is that I cannot find any documentation on how to use something like e-junkie or PayPal other than to "insert this code into your site". Thats it.

 

The only reason for using e-junkie and PayPal is that I do not want to store credit information on my site. I'd rather have someone else do that.

 

How are other's doing this?

Is there a better shopping cart to use?

 

[rianquinn]

The code shud destroy the cookie and the session data.

But no matter wut code is being used, he sez it remains.

 

So Either he is using some 3rd party session management or something is really broke with his php.

 

 

I'm not using anything third party. The only third party software I am running is jQuery. Other than that everything is my own. Also, I have been testing everything via MAMP. I have also tried this on my host "godaddy" and it is not working there either.

 

When you refer to session management what do you mean? What I understand this to mean is utilizing php's session_<something> functions.

 

Could the fact that I'm using AJAX being screwing something up?

 

Thanks for all of your help

[laffin]

If its the script, and its using PHP session management (Yep, session_ functions).

 

than u will have to debug yer script, if php is generating the same session id for all clients.

 

u may want to add some debug code into yer script, tracking session id and user id.

 

if this still fails, ya may want to look at a 3rd part session management routines.

 

I have never really had problems with sessions myself.

As long as session_start was at the top of the script.

 

U can also try building smaller scripts with sessions for testing.

 

 

 

[rianquinn]

than u will have to debug yer script, if php is generating the same session id for all clients.

 

I did this test yesterday. The cart contents remain the same regardless of the session_id (which is changing). I can also change the session_name manually, and this breaks the entire site, but somehow the cart still has the contents.

 

What I want to say is the cart is simply not tied to the session. But then where is the data being saved, and how do I clear it out?

[laffin]

Oh than its not a sessions.

 

If the cart info is the same, than check if the user id is the same as well.

 

if they are both the same, than the script is not getting the right user_id, which u wud look at the login script, to see how it is retrieving the user record and how it uses it (session or just grabs a cookie for user authentication)

 

if the user_id is different and the cart info is the same, than its a cart issue.

u will have to locate where the cart information is loaded & saved, and be shure its tied to a user_id

 

 

 

[rianquinn]

Oh than its not a sessions.

 

If the cart info is the same, than check if the user id is the same as well.

 

if they are both the same, than the script is not getting the right user_id, which u wud look at the login script, to see how it is retrieving the user record and how it uses it (session or just grabs a cookie for user authentication)

 

if the user_id is different and the cart info is the same, than its a cart issue.

u will have to locate where the cart information is loaded & saved, and be shure its tied to a user_id

 

I feel we are getting somewhere here. This is basically the same thing the PayPal guy said before he stopped answering my questions.

 

My problem is that to integrate the cart into the site all you do is insert the code e-junkie spits out for you. So when you say, I don't exactly know what you mean.

 

Is the cart expecting me to set some sort of conventional session variable?

When you refer to user_id, what are you referring to?

 

I do not store a "user_id" I store the user's "email"

 

[laffin]

In yer database, there is some reference between user and their cart.

if for some reason either one fails, u will either get a generic user

or a generic cart.

 

when I mean by user_id, i use it in terms of the databse, as databases usually start with table, id int autoincrement primary key. Just a reference to the how the user is referenced throughout yer script.

 

 

[rianquinn]

My database has no cart information. I do have a user table, and I do keep track of a user_id, but in no way is this tied back to the cart. The only code that I have with regards to the cart is what they give me which is a little html and thats it.

 

If I'm using something like e-junkie, or paypal, how would you even tell their cart what the current user_id is?

[rianquinn]

Thanks everyone for your help. Please read the following

 

http://www.e-junkie.com/bb/topic/3310/pg/0/?s1=51ab64&s2=3f542af1

 

Basically, its impossible. I will have to use another cart. Hopefully third times a charm.

 

Rian