Security Information warning after PayPal
Moderator: General Moderators
Security Information warning after PayPal
I have an issue with paypal, I think? I do a lot of queries and inserts into mysql database. Everything works fine and very quickly until I go to paypal for a purchase item.
I have paypal set to return to a php file either “success” or “failure” for transaction.
If I cancel transaction, for testing, I start getting a “This page contains both secure and non-secure items. Why are these showing up on every webpage! If I click “No” my page comes up quickly – if I select “Yes” my page shows very, very, VERY slow!
Plus I loose valuable $_SESSION variables coming back from PayPal no matter if I click "Yes" or "No".
I am using a simple “Buy Now” button provided by PayPal.
Help! I do not even know where to look. I host on iPower which is a secure server. Everything works fine until I go to PayPal and try to come back.
Steve
I have paypal set to return to a php file either “success” or “failure” for transaction.
If I cancel transaction, for testing, I start getting a “This page contains both secure and non-secure items. Why are these showing up on every webpage! If I click “No” my page comes up quickly – if I select “Yes” my page shows very, very, VERY slow!
Plus I loose valuable $_SESSION variables coming back from PayPal no matter if I click "Yes" or "No".
I am using a simple “Buy Now” button provided by PayPal.
Help! I do not even know where to look. I host on iPower which is a secure server. Everything works fine until I go to PayPal and try to come back.
Steve
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Security Information warning after PayPal
Does your site operate under HTTPS? If you switch between HTTPS and HTTP then you probably lose your $_SESSION data.
The warning is caused by contents on the page (such as images, scripts, stylesheets) that are not loaded via HTTPS.
The warning is caused by contents on the page (such as images, scripts, stylesheets) that are not loaded via HTTPS.
Re: Security Information warning after PayPal
Thanks for the response, Kai.
I believe it operates under HTTPS. When I come out of Paypal the returning php address is an HTTPS://www.... address and it goes to the correct page. Would this indicate that my website can operate under HTTPS?
Do you believe if I change all pages to reference an HTTPS address instead of just HTTP this will fix the issue?
What about my actual .com name? It is http://www.ugodtext.com. Does this need changed also? When I call for images in my php's or htmls, I just use a path such as “src=img/image.jpg”. Is this a problem, also? Must I change all these to a https://www.home.com/image/image.jpg?
I really appreciate your help.
Steve
I believe it operates under HTTPS. When I come out of Paypal the returning php address is an HTTPS://www.... address and it goes to the correct page. Would this indicate that my website can operate under HTTPS?
Do you believe if I change all pages to reference an HTTPS address instead of just HTTP this will fix the issue?
What about my actual .com name? It is http://www.ugodtext.com. Does this need changed also? When I call for images in my php's or htmls, I just use a path such as “src=img/image.jpg”. Is this a problem, also? Must I change all these to a https://www.home.com/image/image.jpg?
I really appreciate your help.
Steve
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Security Information warning after PayPal
If the URI is https://, then the site is loaded under HTTPS. Is the link you gave your actual website? If it is so, then it seems you have an invalid certificate on it (https://ugodtext.com).
I wonder why PayPal returns to a https:// version of your website. Did you ask for this?
I wonder why PayPal returns to a https:// version of your website. Did you ask for this?
Re: Security Information warning after PayPal
Kai -
My domain name is http://www.ugodtext.com - I did not specify a http or a https. Unless you mean when I specify what it is at paypal. But yes - I have gotten the incorrect certificate warning from paypal.
I used the return address to my success.php when I set up paypal as https://www... because the paypal button form suggested the https://www... instead of just http://www...
If I change that return path with http:// instead of https:// would that fix the issue? But would it be secure?
Steve
My domain name is http://www.ugodtext.com - I did not specify a http or a https. Unless you mean when I specify what it is at paypal. But yes - I have gotten the incorrect certificate warning from paypal.
I used the return address to my success.php when I set up paypal as https://www... because the paypal button form suggested the https://www... instead of just http://www...
If I change that return path with http:// instead of https:// would that fix the issue? But would it be secure?
Steve
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Security Information warning after PayPal
Switch the return address to http://, because you don't even have a valid certificate there, so, https:// is pretty much useless. In order for HTTPS to work, you need to buy a certificate for it.
Re: Security Information warning after PayPal
Thanks Kai –
I did that and it worked.
New issue is I set session variables when people log in so I can track a number of things. When I come back from paypal, it changes my current sessionID!! So all my variables under the old sessionID are not used!
But – if I re-login without leaving the website, my session variable becomes the one that paypal sent. If I now go back to paypal, it keeps the same session variable and when I come back from paypal everything works fine.
Is there a special paypal session variable that needs to be set before going to paypal?
Steve
I did that and it worked.
New issue is I set session variables when people log in so I can track a number of things. When I come back from paypal, it changes my current sessionID!! So all my variables under the old sessionID are not used!
But – if I re-login without leaving the website, my session variable becomes the one that paypal sent. If I now go back to paypal, it keeps the same session variable and when I come back from paypal everything works fine.
Is there a special paypal session variable that needs to be set before going to paypal?
Steve
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Security Information warning after PayPal
Is the session identifier in the URI?dsmman wrote:New issue is I set session variables when people log in so I can track a number of things. When I come back from paypal, it changes my current sessionID!! So all my variables under the old sessionID are not used!
Re: Security Information warning after PayPal
Kai –
I am a little lost with this question. In which url are you talking about? Where would I put it? How would I put it in a url?
As you can tell, I am not an experienced programmer, but trying to learn.
The call to PayPal is through a form. Is this where I put the sessionID? How do I do that?
Steve
I am a little lost with this question. In which url are you talking about? Where would I put it? How would I put it in a url?
As you can tell, I am not an experienced programmer, but trying to learn.
The call to PayPal is through a form. Is this where I put the sessionID? How do I do that?
Steve
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Security Information warning after PayPal
I was wondering if you did put something in the URI, I don't want you to put anything there. 
You said that when you come back from PayPal (the page that redirects from PayPal's domain to yours?) will change the session identifier. How are you so certain about this? Try
on the pages so you see if the identifier really changed.
You said that when you come back from PayPal (the page that redirects from PayPal's domain to yours?) will change the session identifier. How are you so certain about this? Try
Code: Select all
echo session_id();Re: Security Information warning after PayPal
Kai –
I appreciate all your help!
I know the session id changes because I echo it to the screen before and after I go to paypal.
In my testing I have found out a few other things:
1) Using Internet Explorer (IE) 6.0 from my XP laptop my script doesn’t work correctly.
2) Using (IE) 6.0 from my XP computer my script works correctly.
3) Using (IE) 6.0 from my WIN98 computer my script works correctly.
4) My brother’s XP works fine with IE 6.0
5) A friend’s XP computer using Firefox doesn’t work
I even have tried setting cookies, but that doesn’t work. When I set cookies before I go to paypal they are correct with my PHPSESSID and that gets changed after paypal.
When I return from paypal to my “success” script, the first line in my php is testing if there is a session_id. If not, then run session_start(). When returning from paypal, my success php believes it must start the session again which begins a new one.
I need a better solution. I may have to use PayPal’s PDT option, but I think that will require SSL stuff and I don’t want to do that.
I think I am screwed!
Thanks again, Kai. I really don’t know which direction to go with this.
Steve
I appreciate all your help!
I know the session id changes because I echo it to the screen before and after I go to paypal.
In my testing I have found out a few other things:
1) Using Internet Explorer (IE) 6.0 from my XP laptop my script doesn’t work correctly.
2) Using (IE) 6.0 from my XP computer my script works correctly.
3) Using (IE) 6.0 from my WIN98 computer my script works correctly.
4) My brother’s XP works fine with IE 6.0
5) A friend’s XP computer using Firefox doesn’t work
I even have tried setting cookies, but that doesn’t work. When I set cookies before I go to paypal they are correct with my PHPSESSID and that gets changed after paypal.
When I return from paypal to my “success” script, the first line in my php is testing if there is a session_id. If not, then run session_start(). When returning from paypal, my success php believes it must start the session again which begins a new one.
I need a better solution. I may have to use PayPal’s PDT option, but I think that will require SSL stuff and I don’t want to do that.
I think I am screwed!
Thanks again, Kai. I really don’t know which direction to go with this.
Steve
Re: Security Information warning after PayPal
see next post
Last edited by dsmman on Wed Feb 17, 2010 4:30 pm, edited 1 time in total.
Re: Security Information warning after PayPal
Kai –
I stumbled onto my paypal issue fix! I believe I have fixed the problem. At least my testing looks good.
PROBLEM:
When paypal linked back to my website, my sessionID was getting reset.
I provided two return pages for paypal. One page for success and one page for failure.
Both pages were entered as: http://www.ugodtext/success.php and http://www.ugodtext/failure.php.
In all of my php code, I use relative paths for call to other php scripts. So when I call my login.php from my main page, the link is “./login.php”.
The login php was calling the first session_start() that would set my sessionID.
When I came back from paypal, my success.php or failure.php would check if sessionID was set. If not then start one. It would always start a new session!
I believe on some browers, since I started my first session from a relative path call (./login.php) and then a session was checked from a “direct path” call by paypal (http://www.ugodtext.com/success.php) , they were determined to be a different session by php!
SOLUTION:
I changed the call to my login.php from my main page to http://www.ugodtext.com/login.php. Everything works now when the return comes from paypal!!
On some browsers and systems, php sees a difference between a relative call to a script (“./login.php) and a direct call (http://www.ugodtext.com/login.php) and deemed them to be a new session even though they are from the same domain.
I thank you for all your help!
Steve
I stumbled onto my paypal issue fix! I believe I have fixed the problem. At least my testing looks good.
PROBLEM:
When paypal linked back to my website, my sessionID was getting reset.
I provided two return pages for paypal. One page for success and one page for failure.
Both pages were entered as: http://www.ugodtext/success.php and http://www.ugodtext/failure.php.
In all of my php code, I use relative paths for call to other php scripts. So when I call my login.php from my main page, the link is “./login.php”.
The login php was calling the first session_start() that would set my sessionID.
When I came back from paypal, my success.php or failure.php would check if sessionID was set. If not then start one. It would always start a new session!
I believe on some browers, since I started my first session from a relative path call (./login.php) and then a session was checked from a “direct path” call by paypal (http://www.ugodtext.com/success.php) , they were determined to be a different session by php!
SOLUTION:
I changed the call to my login.php from my main page to http://www.ugodtext.com/login.php. Everything works now when the return comes from paypal!!
On some browsers and systems, php sees a difference between a relative call to a script (“./login.php) and a direct call (http://www.ugodtext.com/login.php) and deemed them to be a new session even though they are from the same domain.
I thank you for all your help!
Steve
Re: Security Information warning after PayPal
How can I verify a bank account to my PayPal account that is already linked to a different PayPal account? I have received $$$ in my PayPal account but cannot access the $$$ because I cannot verify my bank account. When I try to plug in my bank routing and account # to get verified, it goes to the screen that tells me "that account is linked to a different account and for security reasons two accounts cannot be linked to the same PayPal account" I just want the $$$.
______________________
affiliateelite ~ affiliateelite.com ~ adgooroo ~ adgooroo.com
______________________
affiliateelite ~ affiliateelite.com ~ adgooroo ~ adgooroo.com
Last edited by boumani on Thu Mar 04, 2010 5:21 am, edited 1 time in total.
Re: Security Information warning after PayPal
I think you will need to put a friend's bank account number in (if you can trust them) and send the money to them. Then get it from them.
Or else modify the bank account of the other login before trying yours.
Or else modify the bank account of the other login before trying yours.