Hi Jason,
Thanks for your reply. I think I've got this fixed now.
I was submitting the return URL as a hidden field. The issue I had was that after making a payment through PayPal, the user can still type the URL of your cart (e.g. http://example.com/cart.php) in the address bar, or press back before being transferred to the checkout_success.php page. This is easier on PayPal as they can give a user notifying "You will be redirected in 10 Seconds", in which time they can just type the URL easily.
By doing this, a payment could be processed for one item, this would then, in time, notify my system via the IPN that the order id's status is complete. By just going direct to the cart page and not killing the session, the user can return to the cart, add more items to an order, press checkout, and without even going to PayPal, they can increase their order and make it look like they have paid for many more items than they actually have (although I'd recommend all clients check their orders and check it against their PayPal transactions), which was a bit of a security flaw for me.
What I did was (using Data Assist's Clear Session Values) create the following snippet. This checked if the session had a order id set, if so, it would clear all session variables.
@session_start();
if (isset($_SESSION['shop_OrderID']) && !empty($_SESSION['shop_OrderID'])){
// WA_ClearSession
$clearAll = TRUE;
$clearThese = explode(",","");
if($clearAll){
foreach ($_SESSION as $key => $value){
unset($_SESSION[$key]);
}
}
else{
foreach($clearThese as $value){
unset($_SESSION[$value]);
}
}
}
Is this correct? I've tested it a few times, and it appears to work fine.
Also, if you pass the notify_url as a hidden field on your confirm page, you can set the URL you wish the IPN notification to be sent to, rather than configure it manually in your PayPal account. (took me a while to spot that one).
Thanks,
Aled