Foxy Forum Status

We're no longer responding to questions via our forum, but we will keep it up for historical reasons. If you can't find the answer you're looking for, please visit our knowledge base or contact us. If there's enough interest in the future, we may bring the forum back.

SSO auto login on return after sale completion.

michaelmichael Member
in Help edited January 2013

In the flow of when a non-logged in user gets sent from SITE to foxycart:
* The instant notification is sent back to SITE when the user is created on foxycart.
* From this information the users account on SITE is created.
* the user clicks the 'continue' button to return to SITE.

The user is asked for their password.
The user thinks ".....ummmmm?"

The user is logged in to the account that just got created for them in the background and now belongs to them.

How do I log that user in?

Places I have thought of so far:
* perhaps the fcsid is sent back when the user comes back via the 'continue' link. Try to use that to match up the user. (fcsid doesn't come back at that point.)
* perhaps i could create the user before they go to foxycart during the SSO check phase then start a session for them then and fill it in with the info from the instant notification. (but that leaves the possibility that they wont complete the transaction and I will have an unknown user in the system with no details about them and they are logged in. seams like a backdoor inviting spam.)

What is everyone else doing in this situation? Sending out the password and asking the user to log back in again after purchase?
  • This is what I'm thinking now.

    // set a key to the database during the SSO redirect
    // set the value as a cookie at that same point
    // send the key to cart so it comes back in the instant notification
    // update the database as key is ACTIVE
    // when the user returns to the site check the key against the cookie and if both align,
    // log the user in with the account that was created by the instant notification during the transaction.
    // send the user to the page to retreive their purchase.

    I'm expecting this will work. Let you know as i go.

  • fc_adamfc_adam FoxyCart Team
    Hey Michael,

    Generally if you're wanting the user logged in on your end, this is what we'd recommend: Require the user create an account on your site before they can proceed to checkout - which you can ensure in your SSO endpoint. Basically if the user isn't logged in at the point of the SSO endpoint, redirect to the login/signup page.

    It could be possible to set up a one-time use auto-login link using information from the transaction - like a combination of the transaction ID and the time of the transaction - updating the continue URL in the receipt with that information. Then, utilising the XML datafeed save that information on your end so when the customer clicks the link you can validate it on your end that the user is correct and can be logged in. It would require testing - to make sure that the XML datafeed is processed quick enough on your end, although you could also use the API to validate that information as well. Or both if the datafeed isn't there yet. The API would definitely get access to the information - if the customer is on the receipt the transaction details will be available in the API.
  • Thanks adam, I was hoping to not have to make the user create an account before proceeding to checkout.

    I think I can get it working if i can pass a var from the SSO check phase to return in the instant notification data.

    Tried these:
    //then redirect to foxycart
        $redirect_complete = '' . $auth_token . '&fcsid=' . $fcsid . '&fc_customer_id=0&timestamp=' . $timestamp .'&__extra='.$user_activate_key.'&h:extra='.$user_activate_key;
        header('Location: ' . $redirect_complete);

    &__extra='.$user_activate_key //didn't come through
    &h:extra='.$user_activate_key //didn't come through

    To try to pass an extra string from the SSO phase through to the 'Instant Notification' but neither of them appeared in that data.

    Is there a way to pass a var from SSO to Instant notification?
  • fc_adamfc_adam FoxyCart Team

    After reaching your checkout page after running through the SSO - could you see that custom value in the fc_json cart object on the checkout? You'll want to just use "h:", as "__" wouldn't include it in the session data.
  • I am able to pass info using "h:" if i add it at the time when the item is going into the cart.

    It doesn't seam to work if its set at the 'your system' phase of SSO from this page:[]=sso#best_practiceshow_to_approach_a_sso_integration
    FoxyCart → your system → FoxyCart

    Im addin the "h:" to the url there so when i arrive at the cart the url is:×tamp=1359429124&h:extra=f50927790d31454cd439e8c7b32089e5

    the "h:extra" is there then. but when the data comes back that info is not in the data.
    (here is a screenshot of my debugger info on the 'instant notification')

    I'd rather not set it at the point where the customer puts stuff in their cart as they could put multiple things in their cart before going to checkout.

    That SSO point would be perfect if its possible.
  • fc_adamfc_adam FoxyCart Team

    Ah sorry - you'll want to initiate a cart request from within your SSO endpoint - which you could do via a CURL request. Essentially instead of hitting the API you'd use CURL to hit the cart with your session attribute in the add to cart URL.
  • @fc_adam,

    Champion. That works. :)

    Here's the code in case its useful to someone else:
    //pass in some extra info to the cart
    $extra = '123456';
    //send the key to cart so it comes back in the instant notification via a CURL request.
    $foxy_domain         = '';
    $foxyData            = array();
    $foxyData["h:extra"] = $extra;
    $foxyData["fcsid"]   = $fcsid;
    $foxyData["output"]  = 'json';
    $ch = curl_init();
    curl_setopt($ch,CURLOPT_URL,"https://"; . $foxy_domain . "/cart");
    // If you get SSL errors, you can uncomment the following, or ask your host to add the appropriate CA bundle
    // curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    $response = json_decode(trim(curl_exec($ch)),true);
    if ($response['custom_fields']['extra'] == $extra) {
    } else {
Sign In or Register to comment.