I'm having a hard tackling a problem with a Zend Framework 1 application. It's a custom webshop application where from the checkout page the client is being redirected to a payment gateway provider. So it looks like this:
When the client chooses a payment method on our checkout page behind the scenes a transaction handshake is being done between my application and the payment provider.
The payment provider then sends me back a payment url to which the client is redirected.
The client pays and the payment provider redirects the client back to our webshop to a success url.
In most cases this works perfectly fine, but in some occasions the client gets a new session id after being redirected to our success page. This is a problem because the session data is being used at that point to complete the order.
Locally I've only been able to reproduce this problem once out of probably 50 tries. So it's one of those "sometimes it works and sometimes it doesn't scenarios" or in other words a pain in the * to debug and fix.
I tried playing around with the session settings in my application.ini and also the _initSession in my Bootstrap, but in fact after those changes I managed to reproduce the problem (that one time).
The original application.ini and Bootstrap.php (relevant pieces only) look like this:
application.ini:
resources.session.save_path = APPLICATION_PATH "/../data/sessions"
resources.session.gc_maxlifetime = 2592000
resources.session.remember_me_seconds = 2592000
Bootstrap.php:
protected function _initSession()
{
// set up the session as per the config.
$options = $this->getOptions();
$sessionOptions = $options['resources']['session'];
Zend_Session::setOptions($sessionOptions);
Zend_Session::start();
}
Note that in all other circumstances/use-cases the sessions are working fine throughout the site. It's only after the redirecting that it goes wrong for some clients. I had the application logging extra information and I could actually see the session id change in those cases.
Could it have something to do with the long session lifetime (1 month)? Or do I have to call Zend_Session::rememberMe(...); after Zend_Session::start() in the Bootstrap? Or any other ideas, tips and advice?
Edit: The other session options I experimented with are as follows:
resources.session.name = myuniquesessionname
resources.session.use_cookies = on
resources.session.use_only_cookies = on
resources.session.save_path = APPLICATION_PATH "/../data/sessions"
resources.session.gc_maxlifetime = 2592000
resources.session.remember_me_seconds = 2592000
resources.session.strict = on
I fought with this very issue, and found that I was dealing with two different domains. Some of my users were starting out on mydomain.com and then after finishing with the payment provider they were getting redirected back to www.mydomain.com. This would result in a completely new session.
Possible that this is your issue?
If so, I would stick something like this early on in the bootstrap process, possibly right at the top of your index.php file:
if($_SERVER['SERVER_NAME'] != 'www.mydomain.com') {
Header("Location: http://www.mydomain.com" . $_SERVER['REQUEST_URI']);
exit;
}
This assures right up front that users are using the domain that you want them to use. The redirect will preserve the full url, with any GET variables.