unable to read session on SagePay server notification page - session

We integrate with SagePay Server using ASP.Net and we seem to have a problem getting session on our NotificationUrl.
We get no information when we try to read session on the Notification page, but strangely the page we set as RedirectUrl can read all the values from session. Can you please advise if we are doing anything wrong or if we have to pass any parameter to access session information on the notification page?
Thanks,
PS: I have also posted the question on SagePay support forum

If I'm not mistaken, the request to NotificationUrl will be done from SagePay server and not customer PC, therefore request will not have customer's cookie/session id that is valid on your server. From your server point of view they (customer and request to NotificationUrl page) would be 2 different persons. Check your web server logs -- they will have different IPs and most (if not all) requests to NotificationUrl would be from the same IP (or IPs in the same subnet).

The RedirectURL is usually a page hosted on your own site which is designed to be an order complete page that we redirect the shopper's web browser to upon transaction completion.
For more information on this, please check Sage Pay Server Protocol and Integration Guidelines.

Related

Paypal redirect logging me out of my site?

I have no idea if anyone experience this, i have a slight problem when redirecting from paypal to my site back....
I have a site built with angularjs + php in the backend of it, i log in to my site and everything is fine, When i try to do a recurring payments, it redirects to paypal, i accept the payments and such, when i come back to my site (review payment) i have in the url the payer id and token, which is exactly what i need.. but im not logged in anymore to my site.
The problem with this is, if i do reconnect to my site again, and do the same procedure, now it's all good...
What can be the cause of my site to log out the user when it redirect's back from somewhere, in this case, from paypal?
Take a close look at two requests from the browser to your website:
- the last one before redirection to PayPal
- the redirection from PayPal
Open the Network tab in FireBug or Developer Tools, depending on your browser, and examine the values sent in cookies.
Check if your browser accepts cookies (assuming it's cookie-based sessions you are using)
Make sure there is a cookie created by your PHP when you make the first one
Make sure it is still there, sent from the browser when you come back from PayPal
Make sure the values in the cookies (session ids) match
Also, that the server does not send a "set-cookie" header in the response to the second request
A "no" to any of the above opens a few more options to investigate, so start with these.

When authenticating a user with OAuth 2.0 how does the redirect URL know what user they belong to?

I'm new to web development and trying to get my feet wet by building a web app that uses Google APIs. I was reading Google's documentation on using OAuth 2.0, but the redirect URL bit has me a bit confused. According to the example here a successful authentication will send a response to
{redirect_url}?state=/profile&code={auth_code}
The response URL doesn't specify a user and neither does the response load as far as I know. How does the redirect URL endpoint know which user is tied to the authorization code it just received?
There was a very similar question here, but the answers focus on passing query parameters to the redirect URL. I'm not trying to do that. I want to understand how the redirect endpoint associates an OAuth response to a particular user. Note that I'm pretty new to all of this, so my confusion might stem from not understanding how HTTPS calls work or something similar.
A notable detail is when your redirect URL receives a response with code, it is the Google authorization server that redirect user's browser to your server. So it's user's browser that send a request to your server with code.
In other word, actually, you question is: "When your server receives many requests from many users, how do you know which user a request comes from"
I think you need to learn something about session or cookie which allows
HTTP to become stateful.

Are third parties cookies sent with image requests from first party web pages

We have an implementation understanding with a merchant to create our domain cookies when user is on his site. Now in FF assuming that third party cookies acceptance is set we are able to create the cookies and flow works fine. But the issue is that after the cookie is created and third party cookie is disabled later - the request to load an image from merchant site page to ours site - we do not receive the cookie details.
Is it an expected behavior or we need some special mechanism to get the cookie?
Please help.
You may already know this but cookies are domain based. You can only access cookies on requests for the same domain.
If your image is displayed on sample.com and your the url of the image is sample.com/img.jpg then when the request is made for the image the cookies will be sent along with the request.
On the other hand if the image is displayed on sample.com and the image url is yoursite.com/img.jpg then you won't receive the cookies for sample.com.
Also, dev.sample.com and sample.com are different domain names.
Hopefully this helps clarify why you can't receive cookies. This behavior is mainly security related to prevent websites from sniffing cookies from other sites.

HTTPS to HTTPS redirect session issue

I have a site (built on LAMP (cakephp) and has ssl certificate installed) which has a secure payment page. After filling up necessary information user proceeds to a payment gateway page. After all the process at the gateway end, gateway redirects to one of my URL, which I have to mention with a payment request.
Now when I keep this url as http redirect happens properly and all the sessions are maintained. But I want to make this page as https, and when the payment gateway redirects to the https version of the URL, my session information dies and I get redirected to my home page.
eg: my payment page
https://www.mysite.com/payment
from here user goes to the payment gateway site, does necessary things and payment gateway redirects it to
http://www.mysite.com/paymentResponse (this url i have to mention in the request)
now i have to make this as HTTPS, but when I do that my session info dies
Plz help me
Thanks,
Dinesh
I don't know why it supposedly works for plain HTTP requests, but the problem may be related to Configure::write('Security.level') being set to medium or high, which activates PHP's session.referer_check, which may be the reason sessions are dying for you when being redirected from external sites.

HTML form submits and the hostname changes to IP address

I am facing a peculiar problem. The problem is, my webapp is being installed behind a proxy. The request gets submitted to the proxy which forwards the request to the original host that is running the websphere web application.
The problem I am facing is, when I access the webapp, its URL looks like the below
http://www.myproxy.com
Lets say I get a form on this URL, when I submit the form, it is getting submitted to another URL - http://10.1.2.87
Since the URL is changing, application server thinks it is a different session and throws the login page again. The login page comes thru a filter which checks whether user is already authenticated in the session or not.
I do not have much knowledge on proxy settings .. where do you think is the problem?
Thus, you're using a reverse proxy. You need to configure it to manage the sessions as well. To the point, it should send the HTTP Cookie and Set-Cookie headers forth and back as well. Consult the documentation of the proxy in question for details or ask at serverfault.com for detailed assistance (don't forget to mention which proxy you're using).

Resources