Home/ Questions/Q 6023331
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T03:59:21+00:00

I am currently working on integrating a PHP/MySQL-based e-commerce website I manage with the

  • 0

I am currently working on integrating a PHP/MySQL-based e-commerce website I manage with the RBS Worldpay payment gateway. Here is my problem:

A customer fills up his shopping basket and as he does so, the contents get stored in the $_SESSION global array as well as being stored in a cookie. When the customer checks out he gets sent to the Worldpay pages to put in his payment details. I am using the “Payment response”/callback feature to redirect a successful payment to my own page, “confirmation.php”, which tells the customer all is well, plus does some database queries in the background.

All fine!

HOWEVER, I also at this point wish to empty the shopping cart data from the $_SESSION array as well as get rid of the cookie. So fine, I just use:

$_SESSION['cart'] = array();
setcookie('cart', '', 0, '/');

But this doesn’t work. And it has to do with the fact that the URL for this redirected page is actually https://secure-test.wp3.rbsworldpay.com/wcc/purchase rather than www.mysite.co.uk/confirmation.php.
As a test, I had my confirmation page echo the phpinfo() and from the $_SERVER vars, everything seems to be fine, eg:

_SERVER["DOCUMENT_ROOT"]    /var/www/vhosts/mysite.co.uk/httpdocs
_SERVER["SCRIPT_FILENAME"]  /var/www/vhosts/mysite.co.uk/httpdocs/confirmation.php
_SERVER["SERVER_PROTOCOL"]  HTTP/1.0
_SERVER["REQUEST_METHOD"]   POST
_SERVER["QUERY_STRING"] installation=[xxxxxx]&msgType=authResult
_SERVER["REQUEST_URI"]  /confirmation.php?installation=xxxxxx&msgType=authResult
_SERVER["SCRIPT_NAME"]  /confirmation.php
_SERVER["PHP_SELF"] /confirmation.php
_SERVER["HTTP_USER_AGENT"]  WJHRO/1.0 (WorldPay Java HTTP Request Object)

So it seems that because of the fact that the URL is pointing to a different domain, my script can’t access the $_SESSION and $_COOKIE data, nor manipulate it. I don’t know how this Worldpay system is doing it, it’s not an iframe or anything like that, but I suspect it has to do with the user agent – “WJHRO/1.0 (WorldPay Java HTTP Request Object)”

Is anyone familiar with this? How can I get around this?

Thanks for reading!

Michael

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    When WorldPay finishes processing payment (remember: you do not know what customer did there as all operations with card details were performed on WorldPay’s site) it sends a POST request to you informing with the outcome of transaction (accepted, rejected, customer cancelled etc). It is done directly from their servers and not from customer computer/browser, therefore you cannot match this request with your existing checkout session (I assume you are doing some e-commerce site here) that belongs to the customer.

    When redirecting customer to WorldPay you need to pass additional information together with the required fields. Such fields have MC_ prefix and you can pass quite a few of them (I did this over 2 years ago and do not remember all the details).

    You need to send enough info in those fields (but as less as possible and encrypt them) so when such POST request from WorldPay comes to your confirmation.php you extract those additional fields and restore the session (look towards session_id() and related functions) or something similar (depends how you implement your session handling; in case if session data is stored in DB — that’s even easier — you can easily impersonate the session as long as you know session id) and continue with the checkout.

    Keep in mind, that the output of your confirmation.php will be sent back to WorldPay and not to the customer. WorldPay will process that page first and then display it to the customer. Therefore this page should be VERY simple (very basic interface otherwise some tags can be removed by WorldPay) and it should just redirect your customer back to your website (for example, to real_confirmation.php) where you will have full access to the customer session etc and you will show the proper confirmation page. You can achieve such redirect with simple JavaScript or metatag (e.g. <meta http-equiv="refresh" content="2;url=http://www.example.com/real_confirmation.php">).

    You have to double check this as it was over 2 years as I have coded this and do not currently have all the code with me and situation/rules could change since then (P.S. we are no longer using WorldPay and therefore I cannot confirm that my code would 100% work now — they may have done changes to the whole process since then).

    • 0