Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Customer session timeout if they spend too long on PSP payment form

Woolly

By Woolly
in General Support

Recommended Posts

Woolly

Woolly

Posted
Posted

Hi,

 

I have a store using SecureTrading as the payment service provider, but I believe this problem will apply to any PSP. When a customer stays on the SecureTrading payment form for longer than 24 minutes (PHP variable gc_maxlifetime, 1440 secs - loaded in includes/functions/sessions.php), the callback from SecureTrading to checkout_process.php fails, in that it does not store anything in the database (because the customer's session has timed out) and the customer is sent to the login page (redirected from checkout_success because the session has timed out).

 

The result of that is that the order is not placed within the osCommerce system, but SecureTrading still process the payment. The customer thinks the order has been placed, because they have paid and been taken back to my site.

 

I have searched for a couple of hours on this and can't find a solution. The best idea I can come up with is that if the customer is on the checkout_confirmation page, I set their session expiry time (stored in the database in the 'sessions' table, as I have STORE_SESSIONS set to 'mysql') to be time() plus 24 hours (instead of time() plus 1440 seconds, which is set on every page request). I don't want to change the 1440 second timeout globally because of the extra security risk and the extra server resources.

 

Hope that made at least some sense! Does anyone have any better suggestions? Has anyone else come up against this problem? Am I missing something obvious?!

 

Thanks in advance.

Velveeta

Velveeta

Posted
Posted
Hi,

 

I have a store using SecureTrading as the payment service provider, but I believe this problem will apply to any PSP. When a customer stays on the SecureTrading payment form for longer than 24 minutes (PHP variable gc_maxlifetime, 1440 secs - loaded in includes/functions/sessions.php), the callback from SecureTrading to checkout_process.php fails, in that it does not store anything in the database (because the customer's session has timed out) and the customer is sent to the login page (redirected from checkout_success because the session has timed out).

 

The result of that is that the order is not placed within the osCommerce system, but SecureTrading still process the payment. The customer thinks the order has been placed, because they have paid and been taken back to my site.

 

I have searched for a couple of hours on this and can't find a solution. The best idea I can come up with is that if the customer is on the checkout_confirmation page, I set their session expiry time (stored in the database in the 'sessions' table, as I have STORE_SESSIONS set to 'mysql') to be time() plus 24 hours (instead of time() plus 1440 seconds, which is set on every page request). I don't want to change the 1440 second timeout globally because of the extra security risk and the extra server resources.

 

Hope that made at least some sense! Does anyone have any better suggestions? Has anyone else come up against this problem? Am I missing something obvious?!

 

Thanks in advance.

Well, I've never successfully been able to change the session timeout myself, although I can't say I put in years trying to figure it out... There does have to be a way, but I don't know of how it's done... You could try using cookies at this stage and see if you can make that work... I'm curious why your customers are waiting longer than 24 minutes at the payment gateway though... As a last resort, you could always just post some text on your checkout confirmation screen that warns about the 24 minute timeout and the potential consequences... Most customers won't ever take longer than a few minutes, and for the ones that do, at least they're warned...

 

Richard.

Richard Lindsey

  • 2 weeks later...
Woolly

Woolly

Posted
  • Author
Posted

Thanks for the reply Velveeta. You're right in saying that this problem does not occur for most customers - it has only come up twice since October 2006 on this site.

 

For now I have implemented a bit of a hack fix:

 

In /includes/functions/sessions.php, I have replaced:

if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
$SESS_LIFE = 1440;
}

with:

if (defined('CURRENT_PAGE_IS_CHECKOUT_CONFIRMATION') && CURRENT_PAGE_IS_CHECKOUT_CONFIRMATION == 'true') {
     $SESS_LIFE = 86400;
}
else {
     $SESS_LIFE = 1440;
}

(you could keep the get_cfg_var call if you still want to use the ini-set PHP timeout)

 

And at the top of checkout_confirmation.php (before the include of application_top.php):

define('CURRENT_PAGE_IS_CHECKOUT_CONFIRMATION', 'true');

 

It means that the session will stay alive for 24 hours once the customer has visited the checkout confirmation page, and as soon as they return (or go to any other page) it will revert to the 24 minute timeout.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...