Can I rely on session availability after being redirected to & from another server?
the question in the title is valid.
I have an online form where, after a few steps, the user is sent to a payment gateway on another server and then back again after completing their data there (no card or personal information is sent, just encrypted tokens, that's the point).
So, can I rely on the session data that is still available when it is sent back (via POST?), And also should I be doing this?
My testing would show that yes, but this is the first time I've tried to do something like this. An alternative is to save the progress of the form before redirecting and then restore it on return. Would it be better and why if so?
TIA :)
a source to share
Yes, you can generally rely on this to work.
Your session will still be missing the normal way, so as long as you expect your client to spend less time on a third party site than it takes for a session timeout, you should be fine.
I am doing exactly what you suggest with some of the sites that I maintain and there are no major issues. I guess it might be more complicated if a large proportion of your customers are expected to disable cookies, but if you're dealing with the public, this really isn't a problem.
However, most payment gateways allow you to send them additional information that they will send you when they return a customer to your site. Even if they don't have a built-in way to do it, you add GET parameters to the URL they use to return the client to you. It's worth adding an ID or order number here so you can do something even if the session is dead.
NOTE. Some payment services do not actually return the customer to your site at the end of the transaction, but instead simply contact your server to inform you that a certain payment has been completed. In this situation, your session will not be saved since the client is not making a request from your web server.
a source to share
Depends. chances are that your PHP sessions are being processed using a cookie storing the session ID, however if your client has cookies disabled then (depending on the configuration / SID usage) it can be added to the query string. In the case of cookies, this shouldn't be a problem - the session should continue. If cookies are disabled, you rely on the payment gateway provider to provide the session ID when it returns the customer.
edit: just add, if the client doesn't log out (end of session), storing form data in session variables shouldn't be a problem.
As far as security is concerned, you can make sure that the session is ip-limited in some way (checked on every page load to make sure it matches) to ensure that the session is not hijacked by a payment gateway or other unscrupulous person in the middle (only really problem if cookies are disabled and query string includes PHPSESSID).
a source to share
If you want to make sure the session is available, you can edit the session cookie timeout as follows:
session_set_cookie_params(604800); session_start();
This will cause the cookie to expire a week after it was created. By default, it expires when the browser is closed.
You can read more about this here.
http://uk3.php.net/manual/en/function.session-set-cookie-params.php
a source to share