homepage Welcome to WebmasterWorld Guest from 54.167.177.180
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
pass id with sessions when backbutton hit
helenp

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4577089 posted 4:15 pm on May 23, 2013 (gmt 0)

Hi,
I have ever worked with sessions, but am trying to implent for the online bookings with paypal.

On page A the user fill in a bookingform, click on submitbutton and goes to page B on wich the booking etc is done and they are automatically redirected to Paypal to pay.
The problem is when they hit the backbutton to change some information, then as the booking already been done, they cant book it again and pay for it, so I want the booking to be deleted if backbutton is hit.

First I tried to add the delete query on page B, however as the backbutton is hit, I get the same content as before instead on the else, so then I try to delete the booking when they comes back to page A.
But there I have another problem.
The booking needs to be deleted on page B or page A and after the booking has been deleted the session needs to be destroyed and start a new session as the booking will get a new id.
So one page A I have this, but I get error headers already sent:

<?php

session_cache_limiter('private');
$cache_limiter = session_cache_limiter();

session_cache_expire(45);
$cache_expire = session_cache_expire();

session_start();

$ids=$_SESSION['ids'];

$sql = mysql_query("DELETE FROM bookings WHERE id=$ids");
echo "test";
session_regenerate_id();


I would prefer to delete on page B then go to page A, however looks like imposible as the page does not refresh.
Thanks

 

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4577089 posted 8:54 pm on May 23, 2013 (gmt 0)

You could add an identifier in a hidden field in the form so that you know it's an identifier that's already been used - and hence this is a resubmit.

helenp

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4577089 posted 9:46 pm on May 23, 2013 (gmt 0)

You could add an identifier in a hidden field in the form so that you know it's an identifier that's already been used - and hence this is a resubmit.

Thanks,
Wich I could understand that in practise...
I am storing the id for the booking (the one that should be deleted) in the session like this:
$query = mysql_query("SELECT LAST_INSERT_ID() AS myid", $dbh);
$lastid = mysql_fetch_array($query);

$id = $lastid["myid"];
$_SESSION['ids'] = $lastid["myid"];;

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4577089 posted 10:25 pm on May 23, 2013 (gmt 0)

Well how you do it isn't that important: but you need to somehow create state.
That state needs to be good enough to determine the things you need.

E.g. somebody hitting back and resubmitting a cached form vs. somebody completing a transaction and (intentionally) starting a second booking.

The way to purely detect a resubmit from a form is to give each form you hand out a unique id in it (hidden field is the easiest) and track which you handed out to whom and check if they get submitted twice.

Actually the hidden field with a unique code in it is also a protection against CSRF attacks.
Ref: [owasp.org...]

helenp

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4577089 posted 6:35 am on May 24, 2013 (gmt 0)

The way to purely detect a resubmit from a form is to give each form you hand out a unique id in it (hidden field is the easiest) and track which you handed out to whom and check if they get submitted twice.


Sounds good, let see if I got it,
so when a person lands on the submitform an unique id should be created, for exampel day and time with php, that value I save in a hidden field in the form, I post it to the page B where the booking is inserted and among with the booking I insert the unique id for the form.
If backbutton is hitten and form resubmitted I should check with mysql that the unique id does not exist, if it does exist I then delete the booking with that unique id that was created, then I insert a new booking with the same unique id (in case they go back again)

Without sessons:
That sounds to work perfect and in nearly all cases except one.
In the case the person does not only go back to submitform but go back to the page previous to the submitform, on that page is where they choose payment options, so then they change the payment option, fill in the form (this time not a cached version) and try to book, then the same will happen, the booking is already done and can not be redone.

Using sessions:
So then to cover all kind of situations, thinking, if I save the unique id I created for the form in the session, then insert the unique id among with the booking, on resubmitting I check the id does not exist, and do the same, delete existing booking and insert a new booking.
But that makes it imposible I think to do one sucessful booking then go back or go to another property to do a diferent booking, diferent dates or property, so there the session should be destroyed to get a new session with its unique id.
Puf, I am lost in the session thinking...
Thanks,

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4577089 posted 9:32 am on May 24, 2013 (gmt 0)

You're getting closer: You got how to detect somebody resubmitting one form.

But you actually have more of a chain of forms and you want to work with scenarios on what the user does.

One way to do this is to keep the number of changes low:
i.e. you help the user building up their choices, but you do not "reserve" anything till they are further along.
This is what I think the vast majority of car rental , motel room booking sites do: they keep you as a prospect and will only commit to anything when paid for. (And the second one paying for the same would get a sorry later on).

If that doesn't help you, you need to track the state the user is in in your session (do not drop it, that's not going to help you).

You have states and transition, and I'd for something that's making me think hard, would definitely draw up an actual state diagram (If unfamiliar: google for it, plenty of info out there).

Essentially you have then anything a user can do in any state he's in in your diagram, and deciding what to do becomes much easier.

helenp

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4577089 posted 9:46 am on May 24, 2013 (gmt 0)

One way to do this is to keep the number of changes low:
i.e. you help the user building up their choices, but you do not "reserve" anything till they are further along.

If that doesn't help you need to track the state the user is in in your session (do not drop it, that's not going to help you).

You have states and transition, and I'd for something that's making me think hard, would definitely draw up an actual state diagram (If unfamiliar: google for it, plenty of info out there)

Thanks,
Donīt get it, have to think and google about it, also have language problem.
Anyway,
The booking process is like this:
1. Enter property of choise
2. clic on book online, goes to a page with a form to chose arrival and departure date, chose form of payment (are 2, % of deposit), accept bookingconditions, clic on book it.
3. Goes to another page with a submit form button, on this page, a message comes up if available or not, if available information about the booking, clic on proceed with booking.
4. Goes to the bookingform with information prewritten such as prices, term choosen etc etc. and to fill in personal information. Click on go to pay it.
5. A page on wich the bookingconfirmation pdf is done, the booking is inserted in the database, vailability is checked again (only message if not available anymore.) and the person is redirected to Paypal. On this stage is where the backbutton cant be hit.

[edited by: helenp at 10:15 am (utc) on May 24, 2013]

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4577089 posted 10:05 am on May 24, 2013 (gmt 0)

Try to read up on state diagram a bit:

[en.wikipedia.org...]
(probably exists in other languages).

Don't worry about the complex notations some of them use (advenced users - you don't need all of that).

All you need is the concept of state ( the circle) and transition (the arrow).

So your visitor comes in for his first html hit.
that's a transition: the creation of a session upon the first page he views

It puts him in a state (let's call is "just looking")

ASCII art is hard out here.... I'm not going to go far with this

+------------+
----------------> |just looking|
create session +------------+


Now the user can just keep looking or he can look at all properties he wants: he stays in the just looking state, see availability, enter his choice of rooms etc. You track those variables in your session. if the user goes back, they can change at will.

You could model that all in the state diagram but for now let's keep it simple. (als my ASCI art is suffering badly here


+------------+
----------------> |just looking|
create session +------------+
| ^
|___|
looks at property


The user can also press "book this".

Now its the time to chose: either you want to make sure that when he says "book this", you will be able to assure a vacancy till when he pays for it, or you'll deal with it later.

Let's assume you want to assure the vacancy. [you're creating more problems than they are worth I think]

So we add a state "book it"
there are immediately 2 option: somebody might have beaten him to the last room available already, or it might be free


not available after all
_____________________________
| |
v |
+------------+ +----------------+
----------------> |just looking|-----------------> | bookit pressed | -------------------------->
create session +------------+ book it pressed +----------------+ reserve for this session
| ^
|___|
looks at property

[edited by: swa66 at 10:21 am (utc) on May 24, 2013]

helenp

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4577089 posted 10:10 am on May 24, 2013 (gmt 0)

Now the user can just keep looking or he can look at all properties he wants: he stays in the just looking state.

so you mean I should create a session as soon as enter website?
My idea was to use the session only on the bookingpages, as only a small % enter those, as many just looks, search for information etc.

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4577089 posted 10:22 am on May 24, 2013 (gmt 0)

Oh you can chose that, not important.

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4577089 posted 10:25 am on May 24, 2013 (gmt 0)


To go on above (I pressed submit too soon), and editing with the ascii art in there is a pain...

You enter a new state when the user has a lock on on the room (you need to define a way to expire them as users can quit the process without you knowing they did.)

And you go on like this. Think about the states, not about the pages they visit.

Once you complete your state diagram, that state gets stored in your session and given the sate the user is in and what the page can do it becomes easy to know what to do next.

Have to run now.

helenp

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4577089 posted 5:16 pm on May 25, 2013 (gmt 0)

Now the user can just keep looking or he can look at all properties he wants: he stays in the just looking state, see availability, enter his choice of rooms etc. You track those variables in your session. if the user goes back, they can change at will.

So if I get you (I donīt) I should track and store everything they do, even if I understand the diagram, not sure what to do with it.
sort of page 2: - state checking, option
property a, payoption c, arrivaldate e and departure day x, these values I pass with the session
page 3: state continuing. I keep passing these values to next page (4), or if go back to page 2, the values might change, and if changed (click on submitbutton) booking deleted and values changed to new values.
page 4: state booking: keep passing the values.
So if values "property", "form of payment", "arrival date" and "departure date" changes or are just resubmitted on page 2 or page 4 (the only ones where information may be changed) the booking should be deleted in database, the new values should be stored in the session.
Suppose if booking succesfull (paid) the session need to be destroyed, as they might book another property.
The only way to check if paid 100 % safe is using the ipn.php
Dont see any need of the unique value for the form here.

I can also without session, do the unique value for the form on page 2, pass it by post to page 2 and 4, insert it in mysql on page 5, if the backbutton being hitted and resubmitting on page 2 or 4, the booking should be deleted and an unique id created. However this does not work if user go navigating and return navigating (not frecuent)

Puf, looks like to much for me, am I one the way or totally wrong?

helenp

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4577089 posted 6:50 pm on May 25, 2013 (gmt 0)

edit to late: Dont see any need of the unique value for the form here.

Of course necesary to check its not another person
also editing: Suppose if booking succesfull (paid) the session need to be destroyed, as they might book another property.
The only way to check if paid 100 % safe is using the ipn.php

If booking succesful (paid) I check with database as the statement in database change to paid from unpaid.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved