I would be grateful for any advice on the above.
I am completing (i hope) my paypal IPN settings, and on completing the transaction I click on the 'Return to Merchant' button, where i get redirected to my 'invalid transaction' page.

The transaction is being verified, so there must be an error on my IPN page

I have configured my paypal IPN page as follows...

Check xaction ID from paypal
If not a duplicate..

Add row to payment table
Add row(s) to cart table
Update stock level of items which were in the cart
Update order status in the order table to 'confirmed'
send an email to myself confirming a valid transaction
go to checkout success page

if xactionID is duplicate
send an email to myself confirming a duplicate transaction
go to duplicate xaction page

if xactionID is invalid
send an email to myself confirming a invalid transaction
go to invalid xaction page

I checked my emails and I am getting 2 emails, one after the other, the first showing invalid transaction, the second showing valid transaction.

my confirm.php page has a return value of my IPN page, and as the transaction is valid, i can't work out why I'm getting the error.

Your return page should not be your IPN page. It should be a different page that simply says thank you for your order.

Thanks Ray

I changed the return value to checkout_success.php.

One thing I have noticed is when i navigate back to my cart page from checkout_success, that cart still has items in it.

Is this because my session id is still active ?

Yes... you can use the clear session server behavior that is part of Cookies toolkit, or just look up code on how to clear a session... it is fairly simple.

Really you would only need to clear the OrderID session variable and clear the shopping cart.

Thanks Ray

I assume then, that if i assign the following...

unset($_SESSION['cartname_OrderID']);

in my checkout_success.php and checkout_failure.php pages, that will sort it, it that right ?

and throw in a:

$YourCartName->ClearCart();

to clear the cart itself also on the success page.

probably overkill, but what i have done is

$_SESSION = array();

to clear all sessions.

it seems to work ok, is this overkill and/or will this approach pose any problems ?

thanks

The only issue is that if you have user login it would log out that user. If you don't use login or if you don't mind logging the user out, that method would work just fine.

Excellent.

Thanks for your help

I have successfully included code to unset all sessions on checkout_success and checkout_failure.

in testing, i have found that if i don't visit these pages after paypal, and just go back to my site, whilst keeping the browser open, my sessions are still active.

Were I to unset the session on the checkout confirm page, would this cause any issues with my IPN validation.

If not, at what point should I unset the session, presumably only when the confirm button is clicked ?

It would not interfere with IPN to unset the session on the bottom of the confirm page... however if someone decides to continue shopping after going to paypal instead of continuing why would you want to clear the cart? It seems you may want to keep it as it is, but I guess that is up to you and your business.

Hi Ray, thanks for the reply.

perhaps my problem is more fundamental than I first thought..

I am testing quite a bit at the moment

The issue I am having is if I return to the site after paypal, and try to place another order, when i return to paypal, i get an error saying

"This invoice has already been paid. For more information, please contact the merchant."

So it looks like the transactionID is being retained

So this is after paying, but then returning to the site? I guess that would cause that error. It may also be using the SessionID, so perhaps you would have to delete the whole session, or update the hidden form elements to use the OrderID from the session instead of the sessionid as the invoice hidden field on your confirm page.

Sorry Ray, I'll need to digest this slowly.

Taking a look at confirm.php i assume that the hidden field 'invoice' which uses session_id () as a variable is the one which paypal is identifying. Is this correct ?

On my checkout_success page, I use $_SESSION = array(); to (attempt to) clear all session variables

I definitely end up with an empty cart, therefore why the error message ?

I'm a bit confused.

Maybe that doesn't update the session_id() value.

Try using: session_destroy();

after and see if that fixes it.

i tried session_destroy() on my checkout_success page but i still get the error whilst attempting a second paypal purchase.

When you look at the hidden form element does it have the same value as it did before? How are you going back to the page?

i checked the session_id from the hidden field and it is unchanged for the second transaction, which shows it isn't being cleared.

i am using the link from the paypal confirmation page to go to checkout_success which is the page which has the code to clear the session info.

I guess try:

session_regenerate_id();

or start using the orderID from the session instead of the sessionId, which it appears you are clearing successfully.

yes, i could try that.

the session id was added when i used the ecart wizard.

i'll have a play with the orderid.

if this doesn't work, i'll create a support incident.

when i've got it fixed, i'll report back

I posted a support incident and got a fix from Jason

I added the code to delete the session cookie between my $_SESSION = array();

and

session_destroy();

lines and that seems to do the trick.

My final code is as follows, placed after the closing html tag on my checkout_success page...

<?php
//initialize the session
if (!isset($_SESSION)) {
session_start();
}

// Unset all of the session variables.
$_SESSION = array();

// Delete the session cookie to kill the session

if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>

This seems to work nicely.