New session id after being redirected with Zend Framework 1

StackOverflow https://stackoverflow.com/questions/15696288

Question

I'm having a hard tackling a problem with a Zend Framework 1 application. It's a custom webshop application where from the checkout page the client is being redirected to a payment gateway provider. So it looks like this:

  1. When the client chooses a payment method on our checkout page behind the scenes a transaction handshake is being done between my application and the payment provider.

  2. The payment provider then sends me back a payment url to which the client is redirected.

  3. The client pays and the payment provider redirects the client back to our webshop to a success url.

In most cases this works perfectly fine, but in some occasions the client gets a new session id after being redirected to our success page. This is a problem because the session data is being used at that point to complete the order.

Locally I've only been able to reproduce this problem once out of probably 50 tries. So it's one of those "sometimes it works and sometimes it doesn't scenarios" or in other words a pain in the * to debug and fix.

I tried playing around with the session settings in my application.ini and also the _initSession in my Bootstrap, but in fact after those changes I managed to reproduce the problem (that one time).

The original application.ini and Bootstrap.php (relevant pieces only) look like this:

application.ini:

  resources.session.save_path = APPLICATION_PATH "/../data/sessions"
  resources.session.gc_maxlifetime = 2592000
  resources.session.remember_me_seconds = 2592000

Bootstrap.php:

  protected function _initSession()
  {
     // set up the session as per the config.
     $options = $this->getOptions();

     $sessionOptions = $options['resources']['session'];

     Zend_Session::setOptions($sessionOptions);
     Zend_Session::start();
  }

Note that in all other circumstances/use-cases the sessions are working fine throughout the site. It's only after the redirecting that it goes wrong for some clients. I had the application logging extra information and I could actually see the session id change in those cases.

Could it have something to do with the long session lifetime (1 month)? Or do I have to call Zend_Session::rememberMe(...); after Zend_Session::start() in the Bootstrap? Or any other ideas, tips and advice?

Edit: The other session options I experimented with are as follows:

resources.session.name = myuniquesessionname
resources.session.use_cookies = on
resources.session.use_only_cookies = on
resources.session.save_path = APPLICATION_PATH "/../data/sessions" 
resources.session.gc_maxlifetime = 2592000
resources.session.remember_me_seconds = 2592000
resources.session.strict = on
Was it helpful?

Solution

I fought with this very issue, and found that I was dealing with two different domains. Some of my users were starting out on mydomain.com and then after finishing with the payment provider they were getting redirected back to www.mydomain.com. This would result in a completely new session.

Possible that this is your issue?

If so, I would stick something like this early on in the bootstrap process, possibly right at the top of your index.php file:

if($_SERVER['SERVER_NAME'] != 'www.mydomain.com') {
   Header("Location: http://www.mydomain.com" . $_SERVER['REQUEST_URI']);
   exit;
}

This assures right up front that users are using the domain that you want them to use. The redirect will preserve the full url, with any GET variables.

OTHER TIPS

What worked for me was the following: The problem was indeed the domain of the session cookie. In my application.ini I added:

resources.session.cookie_domain = .mydomainname.com Where obviously mydomainname.com is the domainname of the webshop.

Now after this and clearing my cookies in my developer Firefox everything worked. I log in to the site without using the www. prefix and after if I go to the site using the URL including the www. prefix I'm still using the same session.

I cleared all the sessions at the server-side. However in my other non-developer browsers where I didn't clear the cookies I still had the problem that the session id was being re-used, because of the existing cookies that were tied to the specific domainnames. So for example in my Safari I stil got two sessions whenever I browsed to the two different URL's and everytime the same session id's would be used. To fix this I simply added the name of the session in application.ini:

resources.session.name = NEWSESSID

So the browser gets forced to create a new cookie with the new name instead of the default PHPSESSID.

Looks like everything is working again now. Thanks a lot for the help, much appreciated!

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top