Hi,
For anyone who may be interested, I finally managed to track down where this is going wrong.
in application_top.php, we have the following piece of code :-
if (SESSION_FORCE_COOKIE_USE == 'True') {
if (!isset($HTTP_COOKIE_VARS['cookie_test'])) {
tep_setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $cookie_path, $cookie_domain);
}
if (isset($HTTP_COOKIE_VARS['cookie_test']) {
tep_session_start();
$session_started = true;
}
}
when the SagePay Server was posting the callback this code was failing - ie the "cookie_test" cookie was not being found, even after an attempt to create it. Eventually, the login page was called.
I changed the second test to be :-
if ((isset($HTTP_COOKIE_VARS['cookie_test'])) || ($PHP_SELF=='checkout_process.php')) {
tep_session_start();
$session_started = true;
}
and the code works OK (it always had a valid oscid).
Checking the referrer is indeed the SagePay production server will make sure this only works for callbacks from that site.
If anyone can shed some light on why the setcookie fails, I would be interested to know.