1

Some of our customers are experiencing a strange situation in which they loose their session data. This always happen after a redirect from our payments privider ogone. The flow is a following:

  • The user is completing it's order
  • The user decides to pay through ogone.
  • Afterwards the user is redirected to the application's payment success / error handler.

While debugging this issue, I found out that the session data is lost when the user is redirected from ogone to the application. This happens only once on x amount of requests. So when I test the code in any possible browser, it appears to work just fine. I did not manage to find a link between failed payments and browser / payment method / ....

This is my session configuration:

'session.name' => 'PHPSESSID',
'session.save_path' => '/var/www/app/data/session'
'session.gc_probability' => 1,
'session.gc_divisor' => 100,
'session.gc_maxlifetime' => 5400, // 90 min.
'session.cookie_lifetime' => 0,
'session.bug_compat_warn' => 'off'

The session ID is also being passed by query parameters in the URL. This ID is available in the page ogone redirects to.

Is there someone that can help me out with this painfull issue?

VeeWee
  • 530
  • 1
  • 5
  • 19
  • I suggest to you when redirect to your site after payment successful one more time assign in to session with the use of I'd or user I'd......or email id – JegsVala Mar 09 '14 at 08:56
  • Hello JegsVala, I have access to the user ID in the redirect page. The problem is that the order data is missing – VeeWee Mar 09 '14 at 09:02
  • Which type of older data – JegsVala Mar 09 '14 at 09:04
  • It's the order metadata: ordered products, delivery date, comments, ... This data is stored in the session untill the payment is received. – VeeWee Mar 09 '14 at 09:06
  • Are you sure this type of data are stored in session – JegsVala Mar 09 '14 at 09:09
  • Yes I am sure. This data is loaded in the step before the payment. When the user clicks on pay with ogone, he is redirected to the ogone payment site. When the payment is complete, ogone redirects to the application. At that point, the session data is not available anymore. – VeeWee Mar 09 '14 at 09:11

1 Answers1

1

Session ID passed in query parameter is weak to Session Fixation.

What you can do is store the session data in your database, say in some table T at row i; Then store the value i in a cookie. When a user is back on the site, retrieve i from the cookie, then load the session data from the database.

// Store the data in the database, in whatever form you choose
$id = last_insert_id(); // Get the ID of the row in which this information is stored

// Store the id in a cookie
setcookie("session_data_row_id", $id, time() + 3600 * 24);  /* expire in 1 day */

Now you retrieve the data from the database back into session when needed

// Get the row id from the cookie
$id = $_COOKIE['session_data_row_id'];

// Use this ID and retrieve the data from the database

Why web storage instead of cookies to store all data?

  1. It's not wise to store sensitive data in cookies since an XSS attack can get all cookies
  2. Cookies give you a limit of 4096 bytes per domain

More Resources:

  1. http://davidwalsh.name/php-cookies
  2. http://in3.php.net/setcookie
  3. Local Storage vs Cookies
  4. Keep $_SESSION alive with autorenewing counter
Community
  • 1
  • 1
Joshua Kissoon
  • 3,155
  • 5
  • 26
  • 57
  • Hello Joshua, Thanks for the answer! I am aware of session fixation and there is some code to prevent this. The session ID also needs to be in the URL because we also have a widget that includes our application in an external website. I could store the session in DB, but I do not think that this is the solution for the issue we have. Why do you want to use custom cookies instead of session_set_save_handler()? The session allready creates it's cookie and at the moment it is not possible to alter the full codebase to use a custom cookie. – VeeWee Mar 09 '14 at 09:01
  • So don't use a custom cookie then, store the session data in the database with the key being the current session ID in the URL, when the user is redirected to your site, get back the session data from the database using the session ID. – Joshua Kissoon Mar 09 '14 at 09:04
  • Okay, I will try! Can you tell me what the advantage is of storing the data in the db instead of on the filesystem? The problem is that the data is lost. I am not sure if this solution will fix the issues we experience. – VeeWee Mar 09 '14 at 09:05
  • You can use the filesystem, there may be performance difference. But the main thing is not to store the data in cookies. I'm pretty sure this will solve your issue, since now you have a copy of the data on site, so even if it is lost from session, you can recover it from your persistent storage – Joshua Kissoon Mar 09 '14 at 09:27