Post by akadirabus » Wed Feb 24, 2021 2:33 am

I am developing a payment module. I am in the final phase. OCSESSID information changes on the page where I direct the user after the payment transaction. That's why I can't access the information. This happens on an average of 40 percent of orders. I did a lot of research but could not find the solution.

Newbie

Posts

Joined
Thu Jan 28, 2021 6:22 pm

Post by paulfeakins » Wed Feb 24, 2021 6:57 pm

akadirabus wrote:
Wed Feb 24, 2021 2:33 am
I am developing a payment module. I am in the final phase. OCSESSID information changes on the page where I direct the user after the payment transaction. That's why I can't access the information. This happens on an average of 40 percent of orders. I did a lot of research but could not find the solution.
Why do you need it to stay the same?

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by ADD Creative » Wed Feb 24, 2021 7:55 pm

akadirabus wrote:
Wed Feb 24, 2021 2:33 am
I am developing a payment module. I am in the final phase. OCSESSID information changes on the page where I direct the user after the payment transaction. That's why I can't access the information. This happens on an average of 40 percent of orders. I did a lot of research but could not find the solution.
If you are directing the customer back with a POST you will lose session due to the SameSite default now being Lax for modern web browsers. Direct the customer back with a GET or configure your OCSESSID cookie to have SameSite None and Secure. viewtopic.php?f=202&t=219633#p797082

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by akadirabus » Wed Feb 24, 2021 10:43 pm

for to use user information and order information after payment and a very negative situation in terms of user experience.
paulfeakins wrote:
Wed Feb 24, 2021 6:57 pm
akadirabus wrote:
Wed Feb 24, 2021 2:33 am
I am developing a payment module. I am in the final phase. OCSESSID information changes on the page where I direct the user after the payment transaction. That's why I can't access the information. This happens on an average of 40 percent of orders. I did a lot of research but could not find the solution.
Why do you need it to stay the same?

Newbie

Posts

Joined
Thu Jan 28, 2021 6:22 pm

Post by akadirabus » Wed Feb 24, 2021 10:47 pm

I've tried it before but it didn't work.
I can't find a solution on this issue. This is the only one left. The product is ready, but we don't want to complete it without fixing this problem.
ADD Creative wrote:
Wed Feb 24, 2021 7:55 pm
akadirabus wrote:
Wed Feb 24, 2021 2:33 am
I am developing a payment module. I am in the final phase. OCSESSID information changes on the page where I direct the user after the payment transaction. That's why I can't access the information. This happens on an average of 40 percent of orders. I did a lot of research but could not find the solution.
If you are directing the customer back with a POST you will lose session due to the SameSite default now being Lax for modern web browsers. Direct the customer back with a GET or configure your OCSESSID cookie to have SameSite None and Secure. viewtopic.php?f=202&t=219633#p797082

Newbie

Posts

Joined
Thu Jan 28, 2021 6:22 pm

Post by ADD Creative » Thu Feb 25, 2021 12:47 am

akadirabus wrote:
Wed Feb 24, 2021 10:47 pm
I've tried it before but it didn't work.
I can't find a solution on this issue. This is the only one left. The product is ready, but we don't want to complete it without fixing this problem.
Have you used your web browser's development tools network tab, cookie inspector and error messages?

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by akadirabus » Thu Feb 25, 2021 3:14 am

I'm checked the console. I attached the warning content. I tried again in the link you sent.

I got the same warning but this time when I go to any link, the user session has resumed. I could not understand. In other words, when I am directed to the successful page, I encounter incorrect OCSESSID, but when I click on another link from the same page, OCSESSID changes and it actually happens.

Warning is available on the link

https://www.notion.so/Warning-65a684e15 ... 4fd501c5e9
ADD Creative wrote:
Thu Feb 25, 2021 12:47 am
akadirabus wrote:
Wed Feb 24, 2021 10:47 pm
I've tried it before but it didn't work.
I can't find a solution on this issue. This is the only one left. The product is ready, but we don't want to complete it without fixing this problem.
Have you used your web browser's development tools network tab, cookie inspector and error messages?

Newbie

Posts

Joined
Thu Jan 28, 2021 6:22 pm

Post by ADD Creative » Thu Feb 25, 2021 4:02 am

akadirabus wrote:
Thu Feb 25, 2021 3:14 am
I'm checked the console. I attached the warning content. I tried again in the link you sent.

I got the same warning but this time when I go to any link, the user session has resumed. I could not understand. In other words, when I am directed to the successful page, I encounter incorrect OCSESSID, but when I click on another link from the same page, OCSESSID changes and it actually happens.

Warning is available on the link

https://www.notion.so/Warning-65a684e15 ... 4fd501c5e9
Do you return to your payment success page with a POST or a GET?
Is your site using HTTPS everywhere?
What version of OpenCart?
What version of PHP?

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by akadirabus » Thu Feb 25, 2021 4:51 am

Return with GET method.
Not HTTPS, My server is HTTP. Could it be because of HTTP?
Version: 3.0.3.7
PHP: 7.1
ADD Creative wrote:
Thu Feb 25, 2021 4:02 am
akadirabus wrote:
Thu Feb 25, 2021 3:14 am
I'm checked the console. I attached the warning content. I tried again in the link you sent.

I got the same warning but this time when I go to any link, the user session has resumed. I could not understand. In other words, when I am directed to the successful page, I encounter incorrect OCSESSID, but when I click on another link from the same page, OCSESSID changes and it actually happens.

Warning is available on the link

https://www.notion.so/Warning-65a684e15 ... 4fd501c5e9
Do you return to your payment success page with a POST or a GET?
Is your site using HTTPS everywhere?
What version of OpenCart?
What version of PHP?

Newbie

Posts

Joined
Thu Jan 28, 2021 6:22 pm

Post by kestas » Thu Feb 25, 2021 5:40 am

If I correctly understand, you need old session_id... I don't know why, but you can add current session_id when order is placed to your return link something like this:

Code: Select all

$return_url = $this->url->link('extension/payment/your_payment_module/backToShop&order_secret=' . $this->session->getId());
and if you use GET method retrieve it:

Code: Select all

if (isset($this->request->get['order_secret'])) {
            $order_secret = $this->request->get['order_secret'];
        }  else {
            $order_secret = '';
        }
Where order_secret will be your old session_id...

Custom OpenCart modules and solutions. You can write PM with additional questions... Extensions you can find here


Active Member

Posts

Joined
Tue Oct 12, 2010 2:23 am

Post by ADD Creative » Thu Feb 25, 2021 8:13 am

akadirabus wrote:
Thu Feb 25, 2021 4:51 am
Return with GET method.
Not HTTPS, My server is HTTP. Could it be because of HTTP?
Version: 3.0.3.7
PHP: 7.1
If you are not using HTTPS then SameSite=None will not work as this needs the Secure flag and that will stop the cookie being read if the connection is not secure. If you are returning with a GET then the default of SameSite=Lax should work anyway. The PHP 7.1 setcookie function works differently to 7.3 so if you did want to set SameSite you have to do it in a slightly different way.

You can use the Chrome developer tools network tab to see what happening with your cookies when you return to the success page. Use the "Has blocked cookies" option to check if the problem is with cookies. See: https://www.chromium.org/updates/scheme ... work-Panel

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by ADD Creative » Thu Feb 25, 2021 8:20 am

kestas wrote:
Thu Feb 25, 2021 5:40 am
If I correctly understand, you need old session_id... I don't know why, but you can add current session_id when order is placed to your return link something like this:

Code: Select all

$return_url = $this->url->link('extension/payment/your_payment_module/backToShop&order_secret=' . $this->session->getId());
and if you use GET method retrieve it:

Code: Select all

if (isset($this->request->get['order_secret'])) {
            $order_secret = $this->request->get['order_secret'];
        }  else {
            $order_secret = '';
        }
Where order_secret will be your old session_id...
Be careful passing session IDs like this as it can lead to session fixation issues.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by kestas » Thu Feb 25, 2021 2:52 pm

ADD Creative wrote:
Thu Feb 25, 2021 8:20 am

Be careful passing session IDs like this as it can lead to session fixation issues.
@ADD Creative, Yes your are right.
To prevent that, OP can read: https://stackoverflow.com/questions/508 ... -hijacking

Custom OpenCart modules and solutions. You can write PM with additional questions... Extensions you can find here


Active Member

Posts

Joined
Tue Oct 12, 2010 2:23 am

Post by akadirabus » Thu Feb 25, 2021 2:55 pm

I hav tried. I moved session_id like this.

Code: Select all

        $url_fail            = $this->url   ->link('extension/payment/x/fail&oid=' . $this->session->data['order_id'] . "&us=" . $this->session->getId());
        $url_ok              = $this->url   ->link('extension/payment/x/success&oid=' . $this->session->data['order_id']. "&us=" . $this->session->getId());
and set session_id like this

Code: Select all

        $session_id = $_GET['us'];

        setcookie('OCSESSID', $session_id, ['samesite' => 'None', 'secure' => true]);
Two different cookies occurred. You can look at the link.

https://www.notion.so/Warning-65a684e15 ... 4fd501c5e9
kestas wrote:
Thu Feb 25, 2021 5:40 am
If I correctly understand, you need old session_id... I don't know why, but you can add current session_id when order is placed to your return link something like this:

Code: Select all

$return_url = $this->url->link('extension/payment/your_payment_module/backToShop&order_secret=' . $this->session->getId());
and if you use GET method retrieve it:

Code: Select all

if (isset($this->request->get['order_secret'])) {
            $order_secret = $this->request->get['order_secret'];
        }  else {
            $order_secret = '';
        }
Where order_secret will be your old session_id...

Newbie

Posts

Joined
Thu Jan 28, 2021 6:22 pm

Post by ADD Creative » Thu Feb 25, 2021 8:29 pm

akadirabus wrote:
Thu Feb 25, 2021 2:55 pm
I hav tried. I moved session_id like this.

Code: Select all

        $url_fail            = $this->url   ->link('extension/payment/x/fail&oid=' . $this->session->data['order_id'] . "&us=" . $this->session->getId());
        $url_ok              = $this->url   ->link('extension/payment/x/success&oid=' . $this->session->data['order_id']. "&us=" . $this->session->getId());
and set session_id like this

Code: Select all

        $session_id = $_GET['us'];

        setcookie('OCSESSID', $session_id, ['samesite' => 'None', 'secure' => true]);
Two different cookies occurred. You can look at the link.

https://www.notion.so/Warning-65a684e15 ... 4fd501c5e9
You will have 2 different cookies as the cookie is already set in catalog/controller/startup/session.php. Passing the session this way in not the way to solve your problem and will only cause you more issues.

I can see from your screenshot that you are using the cookie secure flag but you have said you are not using HTTPS. This is not correct.
See the post here on how to debug your issue. viewtopic.php?p=815175#p815175

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: Google [Bot], moreduff and 268 guests