/    Sign up×
Community /Pin to ProfileBookmark

SESSION not being generated for all users

Copy linkTweet thisAlerts:
Oct 13.2022

I have some measures in place to block bots or malicious users from abusing my booking form as follows:

  • 1. Add their IP address into the form on the first page and then on page 2, read it into the SESSION.

  • 2. When they process payment, check their IP address against the one in the SESSION to validate they have gone through the process and not just a bot POSTing directly to the process payment page – IF no IP found, redirect back to first page

  • 3. Each time the process payment page is requested, increment the IP address counter and if they reach 5 attempts – Add their IP address to blacklist and also add their email to bannedEmails list

    • This works ok BUT I have noticed that legitimate users are also being blocked because no SESSION is present.

    I have the form sitting on domain1.com and it is loaded into an iframe over the wordpress site.

    I have two other websites – domain2.com and domain3.com which both load the same form from domain1.com into an iframe over their respective websites but I found that chrome wont allow SESSIONs to be created cross site so users were getting blocked so now, I just open the booking page directly from each of these sites into a new browser window.

    This seemed to fix the problem in testing BUT some SESSIONS are still not being loaded.

    Why is the SESSION on randomly generated and how can I either force the SESSION or use an alternate method of validation.

    to post a comment
    PHP

    2 Comments(s)

    Copy linkTweet thisAlerts:
    @NogDogOct 13.2022 — That iframe and different domain stuff is going to be a problem with the session cookies, due to how latest versions of most browsers now actively prevent exchange of 3rd-party cookies and such. I had to change some stuff on a legacy app some time ago, but don't recall specifically what I did; but looks like this article might do a decent job of explaining the issue and maybe will point you in the right direction: https://web.dev/samesite-cookies-explained/
    Copy linkTweet thisAlerts:
    @php-bgraderauthorOct 14.2022 — I'm not using iframe from different domain anymore but the issue persists
    ×

    Success!

    Help @php-bgrader spread the word by sharing this article on Twitter...

    Tweet This
    Sign in
    Forgot password?
    Sign in with TwitchSign in with GithubCreate Account
    about: ({
    version: 0.1.9 BETA 5.18,
    whats_new: community page,
    up_next: more Davinci•003 tasks,
    coming_soon: events calendar,
    social: @webDeveloperHQ
    });

    legal: ({
    terms: of use,
    privacy: policy
    });
    changelog: (
    version: 0.1.9,
    notes: added community page

    version: 0.1.8,
    notes: added Davinci•003

    version: 0.1.7,
    notes: upvote answers to bounties

    version: 0.1.6,
    notes: article editor refresh
    )...
    recent_tips: (
    tipper: @AriseFacilitySolutions09,
    tipped: article
    amount: 1000 SATS,

    tipper: @Yussuf4331,
    tipped: article
    amount: 1000 SATS,

    tipper: @darkwebsites540,
    tipped: article
    amount: 10 SATS,
    )...