jeffery1493 Posted February 28, 2007 Share Posted February 28, 2007 Hi All, I have been working with $_SESSION variables with an online business, and have had quite a headache. The problem is I have a php program sitting on the other end of a PayPal pay routine, that should only execute -if and only if- the person has paid. This works easily enough, I have it set up by setting the 'returnurl' variable for PayPal, and with all the right validation code the process works smoothly: ---- $notifyurl = 'www.mysite.com/notifyprocess.php'; $returnurl = 'www.mysite.com/i_already_paid.php'; ---- The problem is preventing someone malicious from typing in on the address line, "www.mysite.com/i_already_paid.php" and having it execute without paying. A simple conditional like the one below in the 'i_already_paid.php' program should check tor validation, but passing it along with the URL would not be a good idea I would think. So, I opted with a hidden session variable: ---- if ( $_SESSION['passkey'] = 123456 ) { // do nothing } else { message_die (GENERAL_MESSAGE, "You are not authorized to view this page"); } ---- I can then set the $passkey variable along the way when I get a successful pay from PayPal, and since the user can't see it, they can't just run the program on the address line. The problem is, the $_SESSION variable 'passkey' is sometimes kicking out and disappearing. I've tried ideas like session_write_close() and others, but I can't see how to be sure $_SESSION will keep from getting lost. It is possibly because going through the https://www.paypal.com and redirecting back causes mayhem with the session. Is there a better way to do this? At my wits end.......thanks for any advice. :-\ JEFFERY1493 Quote Link to comment Share on other sites More sharing options...
djmarkm Posted February 28, 2007 Share Posted February 28, 2007 I'm having a similar issue with a secpay post. I'm storing some session verialble prior to the call to secpay, but upon the return the session variables are all empty. It looks like handing over to a form that exists on a seperate server (in my case Secpay) is s=ending the session and wiping the vars. Can any one confirm this for me? The only work around I can think of is storing the session vars in a database table referenced by a trans_id that I pass to secpay and secpay pass back to me Regards Mark Quote Link to comment Share on other sites More sharing options...
willpower Posted February 28, 2007 Share Posted February 28, 2007 YEs...you are on the right track here. 1. I generate a transaction id in the db first. 2. I generate the submission form and button. 3. I encrypt the trans_id 4. I include this in my return url ie /i_have_paid.php?trans_id=87Fgfg76dfhghGHHJG8sd 5. On return I query the DB and se if the Decrypted pass matches and if so process and if no fail. Hope that makes sense Will Quote Link to comment Share on other sites More sharing options...
jeffery1493 Posted February 28, 2007 Author Share Posted February 28, 2007 Truly the old Millionaire show, "it's always easy when you know the answer" applies here. For the life of me I can't figure out why that didn't occur to me, I have even done that for other programs in years past..........will give it a shot, thanks! JEFFERY1493 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.