Why are my PHP sessions dying? And why can't I restore them?

Question

I have an app using PHP and the PayPal API. The basic way it works to get a payment is that you do a web service call to PayPal to get a token and then do a browser redirect to PayPal with that token for the user to pay. After the payment details have been confirmed, PayPal redirects back to the URL you originally set in the service call.

This all works, millions of people use it every day, et cetera.

Strange thing is, when PayPal redirects back, the PHP session is gone. It's a well-documented issue.

First question: why is this happening? Both pages are on the same domain, both use HTTPS. The session works for all requests up until the PayPal redirect back.

The linked forum thread suggests a workaround, to persist the session ID in the PayPal request and then to retrieve it later and restore the session. Great, except it doesn't seem to work.

I can add some log statements:

log(session_id());

before and after the various redirects. When coming back from PayPal, I log some more.

log("session id is " . session_id());
$session_id = get_session_id_from_paypal();
log("setting it back to " . $session_id);
session_id($session_id);
session_start();
log("session id is now " . session_id());

The result is not at all what I'd expect:

session_id is fc8f459a186a3f4695ff9ac71b563825
setting it back to 82460dcf8c8ddd538466e7cb89712e72
session_id is now 360ba3fd99d233e0735397278d2b2e55

Second question: why is the session id not at all what I set it to? What am I doing wrong? Or, at least, why do none of the session variables come back?

Answer 1

Hi!

Can you do a phpinfo() and tell if session.auto_start is true?

Answer 2

Just an idea ...

Do you have session.referer_check set to your host perhaps? The default is the empty string, but it might have been changed ... and when the page 'comes back' from PayPal, php will trash the session info.

You can check the session.referer_check with phpinfo().