Strange $_SESSION things happening

[c_shelswell]

I've got a bit of a problem that i'm struggling to get to the bottom of and any advice would be really great. Basically i've made a site that allows people to buy music and video bundles the user pays for a bundle via pay pal. The problem i have is there is a site session variable "['free_cart']" if a user enters a discount code that makes their cart total 0 then ['free_cart'] is set to 1 and they bypass pay pal. However i have a user that seems to have gone thru a regular transaction not a free one (all the database and paypal show a normal sale) though when paypal has direct the user back to the site after the payment it appears (auto emails are sent out if a payment hasn't gone thru as normal) that the ['free_cart'] variable has been set to 1.

 

I don't understand how this could possibly happen. Is there a way a user could cheat a session variable?? How could they leave the site to go to paypal but when they get back from paypal a variable has been changed?

 

I hope i've explained this reasonably well

 

any help would be great i'm really confused

Thanks

[Aureole]

There's probably a flaw in your system or something... I doubt he could have changed the session variable but he may have done something to cause it to get set to 1 even if you didn't intend for it to happen. Perhaps some kind of loophole? I don't know.

 

Post some code and it will be easier for people to help you.