swa66 - 9:25 am on Feb 28, 2013 (gmt 0)
When the persons leave my site and enter paypals isnīt the session lost?
A session is essentially a cookie in the browser that's matched on the server side with information. As long as the client keeps the cookie and the server keeps its information, the session remain valid even if there are visits to other websites in between (HTTP being stateless...: there's not even a way to know they did that)
I'd suggest to take the time to understand sessions in full. They can be of great benefit to you when you do transactions that span more than one page hit.
The philosophy I thried to explain above is
- to use the session to keep track of things like users being logged in or not, from the time the enter till they log out. (if they log in and out, from the first hit otherwise.
- to use a hidden field with a server side generated random value in it in sensitive forms.
If you then get on form submission that
- it's the same session (i.e. the same browser - cookie based)
- it's the same form (due to the same random value being returned)
THEN it's relatively safe to assume the user went "back"
Whenever you accept a submission, ready for payment, you also keep track of the random value in the submission - to check for resubmissions ...
You also have to take care that they might go even further back and get a new form as well - but then it quickly become a matter of adding more state in the sessions.