scotspaul Posted February 22, 2007 Share Posted February 22, 2007 Hullo there! When a customer has successfully bought something from my store, selects (or not) to be notified of any updates to their purchased products and clicks [Continue] in checkout_success.php, they are logged out of their account... Would any bright spark have any ideas as to why? Me? One of my many contribs? Or is it by design? If it's by design, would there be a way round this? Many thanks oh wise ones... Kind regards, Paul Link to comment Share on other sites More sharing options...
Velveeta Posted February 22, 2007 Share Posted February 22, 2007 Hullo there! When a customer has successfully bought something from my store, selects (or not) to be notified of any updates to their purchased products and clicks [Continue] in checkout_success.php, they are logged out of their account... Would any bright spark have any ideas as to why? Me? One of my many contribs? Or is it by design? If it's by design, would there be a way round this? Many thanks oh wise ones... Kind regards, Paul This is definitely not by design... My guess would be that either the session id is being lost at that point for some reason, so it's forgotten who the customer was, or else the customer_id session variable is being unregistered perhaps... The only way to test it would be to read through your checkout_success.php file and look for something like that, or drop in some debug output to echo the session data to the page, and if your site propagates the session id through the url (i.e. you have &osCsid=97s8d7f9729c928739f397n29387b964325 in the url string), make sure that when you land on the success page, when you hover over the continue button, that it contains that session id value also, or else it may be losing the session data there... Question: if they click a link other than the continue button, does it still show them logged out? Richard. Richard Lindsey Link to comment Share on other sites More sharing options...
scotspaul Posted February 22, 2007 Author Share Posted February 22, 2007 This is definitely not by design... My guess would be that either the session id is being lost at that point for some reason, so it's forgotten who the customer was, or else the customer_id session variable is being unregistered perhaps... The only way to test it would be to read through your checkout_success.php file and look for something like that, or drop in some debug output to echo the session data to the page, and if your site propagates the session id through the url (i.e. you have &osCsid=97s8d7f9729c928739f397n29387b964325 in the url string), make sure that when you land on the success page, when you hover over the continue button, that it contains that session id value also, or else it may be losing the session data there... Question: if they click a link other than the continue button, does it still show them logged out? Richard. Hi Richard, Thank you for your response. When I click on any other link in the checkout_success page, I remain logged in correctly. When I select a product to be notified I am logged out and the landing URL is: NOTIFY: /index.php?notify[]=53&action=notify&osCsid=110133399c078a2b63f98f7dc4f80c25 The product is not added to the 'notify' list, however, if I modify the URL by hand from the above to: NOTIFY: /index.php?notify=53&action=notify&osCsid=110133399c078a2b63f98f7dc4f80c25 I remain logged in and the product is added to the notify list. Something in checkout_success.php here is not behaving I think: if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'update')) { $notify_string = 'action=notify&'; $notify = $HTTP_POST_VARS['notify']; if (!is_array($notify)) $notify = array($notify); for ($i=0, $n=sizeof($notify); $i<$n; $i++) { $notify_string .= 'notify[]=' . $notify[$i] . '&'; } if (strlen($notify_string) > 0) $notify_string = substr($notify_string, 0, -1); tep_redirect(tep_href_link(FILENAME_DEFAULT, $notify_string)); } If I don't select a product to be notified I am logged out and the landing URL is: NO NOTIFY: /login.php?osCsid=b4443d9b913135a70dcab82837b34198 I've tried replacing my checkout_success.php with a standard one to no avail - the contribution most likely to be affecting this is the PayPal Pro (UK) contrib from PayPal themselves (Based on Brian Burton's / Dynamoeffects). http://demo.tipee.com/demo/index.php for a test - currently (22 Feb 07) set on test with 'COD' only. Any bright ideas welcome. Link to comment Share on other sites More sharing options...
Velveeta Posted February 22, 2007 Share Posted February 22, 2007 Hi Richard, Thank you for your response. When I click on any other link in the checkout_success page, I remain logged in correctly. When I select a product to be notified I am logged out and the landing URL is: NOTIFY: /index.php?notify[]=53&action=notify&osCsid=110133399c078a2b63f98f7dc4f80c25 The product is not added to the 'notify' list, however, if I modify the URL by hand from the above to: NOTIFY: /index.php?notify=53&action=notify&osCsid=110133399c078a2b63f98f7dc4f80c25 I remain logged in and the product is added to the notify list. Something in checkout_success.php here is not behaving I think: if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'update')) { $notify_string = 'action=notify&'; $notify = $HTTP_POST_VARS['notify']; if (!is_array($notify)) $notify = array($notify); for ($i=0, $n=sizeof($notify); $i<$n; $i++) { $notify_string .= 'notify[]=' . $notify[$i] . '&'; } if (strlen($notify_string) > 0) $notify_string = substr($notify_string, 0, -1); tep_redirect(tep_href_link(FILENAME_DEFAULT, $notify_string)); } If I don't select a product to be notified I am logged out and the landing URL is: NO NOTIFY: /login.php?osCsid=b4443d9b913135a70dcab82837b34198 I've tried replacing my checkout_success.php with a standard one to no avail - the contribution most likely to be affecting this is the PayPal Pro (UK) contrib from PayPal themselves (Based on Brian Burton's / Dynamoeffects). http://demo.tipee.com/demo/index.php for a test - currently (22 Feb 07) set on test with 'COD' only. Any bright ideas welcome. Hmmm, that code looks like it should work fine... Can you check your includes/application_top.php file, and find the switch statement for $action, and verify that the case 'notify': looks like this? case 'notify' : if (tep_session_is_registered('customer_id')) { if (isset($HTTP_GET_VARS['products_id'])) { $notify = $HTTP_GET_VARS['products_id']; } elseif (isset($HTTP_GET_VARS['notify'])) { $notify = $HTTP_GET_VARS['notify']; } elseif (isset($HTTP_POST_VARS['notify'])) { $notify = $HTTP_POST_VARS['notify']; } else { tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify')))); } if (!is_array($notify)) $notify = array($notify); for ($i=0, $n=sizeof($notify); $i<$n; $i++) { $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $notify[$i] . "' and customers_id = '" . $customer_id . "'"); $check = tep_db_fetch_array($check_query); if ($check['count'] < 1) { tep_db_query("insert into " . TABLE_PRODUCTS_NOTIFICATIONS . " (products_id, customers_id, date_added) values ('" . $notify[$i] . "', '" . $customer_id . "', now())"); } } tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify')))); } else { $navigation->set_snapshot(); tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); } break; Richard. Richard Lindsey Link to comment Share on other sites More sharing options...
scotspaul Posted February 22, 2007 Author Share Posted February 22, 2007 Hmmm, that code looks like it should work fine... Can you check your includes/application_top.php file, and find the switch statement for $action, and verify that the case 'notify': looks like this? ../ snip /.. Richard. Hi, That statement is the same - line for line. To prevent hallucinations, I just tried out the demo site on the osCommerce homepage - it performs as you would expect with the customer remaining logged in - however I noticed that it did not carry the session ID in the URL - would you know of a config setting that could allow me to do the same? Again - thanks for your time, Paul Link to comment Share on other sites More sharing options...
scotspaul Posted February 22, 2007 Author Share Posted February 22, 2007 I just tried adding: error_reporting(E_ALL); to the top of checkout_success.php and it returned this: Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /folder1/folder2/public_html/site/checkout_success.php:2) in /folder1/folder2/public_html/site/includes/functions/sessions.php on line 97 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /folder1/folder2/public_html/site/checkout_success.php:2) in /folder1/folder2/public_html/site/includes/functions/sessions.php on line 97 Not entirely sure how to proceed on this....... Thanks in advance for further enlightenment... Link to comment Share on other sites More sharing options...
Velveeta Posted February 22, 2007 Share Posted February 22, 2007 Hi, That statement is the same - line for line. To prevent hallucinations, I just tried out the demo site on the osCommerce homepage - it performs as you would expect with the customer remaining logged in - however I noticed that it did not carry the session ID in the URL - would you know of a config setting that could allow me to do the same? Again - thanks for your time, Paul Unfortunately I don't remember the config setting that does this... It didn't do it on my store either, but I can't remember what I did to get it to stop appending to the end of the url... I know the function tep_href_link takes a parameter for adding the sid to the end of the url, and I believe it defaults to true, but I can't remember if simply setting this to false is enough... Someone else may be able to answer this more clearly, or you may be able to find a tutorial out there that'll answer it for you... You may also try the contributions section in case someone wrote a quick and dirty contrib entry for handling this... Richard. Richard Lindsey Link to comment Share on other sites More sharing options...
Velveeta Posted February 22, 2007 Share Posted February 22, 2007 I just tried adding: error_reporting(E_ALL); to the top of checkout_success.php and it returned this: Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /folder1/folder2/public_html/site/checkout_success.php:2) in /folder1/folder2/public_html/site/includes/functions/sessions.php on line 97 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /folder1/folder2/public_html/site/checkout_success.php:2) in /folder1/folder2/public_html/site/includes/functions/sessions.php on line 97 Not entirely sure how to proceed on this....... Thanks in advance for further enlightenment... Is there any whitespace at the top of your checkout_success file, perhaps from when you stuck in the error_reporting line? It doesn't necessary need to be the *first* line of the file, just as long as it's the first line that's executed, meaning place it above the require('includes/application_top.php'); line... But if you did something like this maybe: <?php error_reporting(E_ALL); ?> <?php /* <typical oscommerce file header> Then that line of whitespace in between those 2 sections counts as output, at which point it can't send any additional headers to start the session or whatever... Richard. Richard Lindsey Link to comment Share on other sites More sharing options...
scotspaul Posted February 22, 2007 Author Share Posted February 22, 2007 Ahaaa.... Yes - and now I've removed the whitespace and it all (including the session) seems to work. Mind you - I think that I had some mistakes in my configure.php file - the HTTPS_COOKIE_DOMAIN and HTTPS_COOKIE_PATH were not set correctly. Some trial and error seems to have sorted things out. define('HTTP_SERVER', 'http://subdomain.site.com'); // eg, [url="http://localhost"]http://localhost[/url] - should not be empty for productive servers define('HTTPS_SERVER', 'https://sslhost.myhost.co.uk/site'); // eg, [url="https://localhost"]https://localhost[/url] - should not be empty for productive servers define('ENABLE_SSL', true); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'subdomain.site.com'); define('HTTPS_COOKIE_DOMAIN', 'sslhost.myhost.co.uk/site'); define('HTTP_COOKIE_PATH', '/subdomain/'); define('HTTPS_COOKIE_PATH', '/subdomain/'); define('DIR_WS_HTTP_CATALOG', '/subdomain/'); define('DIR_WS_HTTPS_CATALOG', '/subdomain/'); Also: Admin > Configuration > Sessions Set as follows: Session Directory ...................[blank] Force Cookie Use ....................False Check SSL Session ID .............False Check User Agent ...................False Check IP Address....................False Prevent Spider Sessions...........False Recreate Session.....................False And.. it seems to be working OK. Richard - thank you very much indeed for your assistance in pointing me in the right direction. Your help was much appreciated. Kind regards, Paul Link to comment Share on other sites More sharing options...
Velveeta Posted February 22, 2007 Share Posted February 22, 2007 Ahaaa.... Yes - and now I've removed the whitespace and it all (including the session) seems to work. Mind you - I think that I had some mistakes in my configure.php file - the HTTPS_COOKIE_DOMAIN and HTTPS_COOKIE_PATH were not set correctly. Some trial and error seems to have sorted things out. define('HTTP_SERVER', 'http://subdomain.site.com'); // eg, [url="http://localhost"]http://localhost[/url] - should not be empty for productive servers define('HTTPS_SERVER', 'https://sslhost.myhost.co.uk/site'); // eg, [url="https://localhost"]https://localhost[/url] - should not be empty for productive servers define('ENABLE_SSL', true); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'subdomain.site.com'); define('HTTPS_COOKIE_DOMAIN', 'sslhost.myhost.co.uk/site'); define('HTTP_COOKIE_PATH', '/subdomain/'); define('HTTPS_COOKIE_PATH', '/subdomain/'); define('DIR_WS_HTTP_CATALOG', '/subdomain/'); define('DIR_WS_HTTPS_CATALOG', '/subdomain/'); Also: Admin > Configuration > Sessions Set as follows: Session Directory ...................[blank] Force Cookie Use ....................False Check SSL Session ID .............False Check User Agent ...................False Check IP Address....................False Prevent Spider Sessions...........False Recreate Session.....................False And.. it seems to be working OK. Richard - thank you very much indeed for your assistance in pointing me in the right direction. Your help was much appreciated. Kind regards, Paul Not a problem, glad it's working ok now :) Although, I would make a few suggestions about your session configuration up above... You'll want to turn prevent spider sessions to true, so that your pages don't get indexed with session values in the url string, or else when someone searches for a product you have, and your page comes up, it'll have that session id in the url, and they may inadvertently pick up someone else's session... Also, I personally turn on the check user agent and check ip address options as well, because a lot of people surf from private networks, and use NAT to mask their internal IP's, so if 2 people from the same location (i.e. a restaurant with wi-fi, a business, etc) happen to be surfing your shop at the same time, one could theoretically take over the other's session if they knew the session id and swapped it out in their own url, so the check user agent helps to prevent that too, in case they're using different browsers, or possibly different versions of the same browser, you get the idea... And it will recreate the session id in those circumstances, if those details don't match up with what it has on record for that session id... Richard. Richard Lindsey Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.