Welcome Guest, Not a member yet? Register   Sign In
Keeping the cart information when login and logging out
#1

[eluser]earlyriser[/eluser]
Hi.
I wonder if some of you have solved this problem. I'm using SimpleLoginSecure and the Cart class
In a ecommerce site the user (unlogged) add some products to his car and then he login. At this moment the cart info is lost because the session has changed.
Do yo have an idea to overcome this?
I would like to keep the cart info independent of the login process.
#2

[eluser]WanWizard[/eluser]
Why would the user lose his session?

Yes, the session key changes (as it should on a regular basis), but that doesn't mean you should lose the contents of your session. I have never experienced this in my application, I guess SimpleLoginSecure (which I don't know) messes things up?
#3

[eluser]earlyriser[/eluser]
Here is the login function from SimpleSecureLogin. When the user logs, the session is destroyed and a new one is created.

If I delete the lines of DESTROY OLD SESSION and CREATE FRESH SESSION I can conserve the cart, but I want to know which security issues this could bring.

Code:
function login($user_email = '', $user_pass = '')
    {
        $this->CI =& get_instance();

        if($user_email == '' OR $user_pass == '')
            return false;


        //Check if already logged in
        if($this->CI->session->userdata('user_email') == $user_email)
            return true;
        
        
        //Check against user table
        $this->CI->db->where('user_email', $user_email);
        $query = $this->CI->db->getwhere($this->user_table);

        
        if ($query->num_rows() > 0)
        {
            $user_data = $query->row_array();

            $hasher = new PasswordHash(PHPASS_HASH_STRENGTH, PHPASS_HASH_PORTABLE);

            if(!$hasher->CheckPassword($user_pass, $user_data['user_pass']))
                return false;

            //Destroy old session
            $this->CI->session->sess_destroy();
            
            //Create a fresh, brand new session
            $this->CI->session->sess_create();

            $this->CI->db->simple_query('UPDATE ' . $this->user_table  . ' SET user_last_login = NOW() WHERE user_id = ' . $user_data['user_id']);

            //Set session data
            unset($user_data['user_pass']);
            $user_data['user'] = $user_data['user_email']; // for compatibility with Simplelogin
            $user_data['logged_in'] = true;
            $this->CI->session->set_userdata($user_data);
            
            return true;
        }
        else
        {
            return false;
        }    

    }
#4

[eluser]WanWizard[/eluser]
Do you use cookies for your session, or a database table?

I don't see real issues, providing that you delete all userdata (or any other data that relates to the user being logged in) that belongs to that user from the session when the user logs out (p.e. like user_pass, user_email, etc). I think the session_destroy() is just a very lazy way of accomplishing just that...
#5

[eluser]earlyriser[/eluser]
You are right. I commented the lines, and change the user data in the database, changing just the login state, but leaving the session.




Theme © iAndrew 2016 - Forum software by © MyBB