Guest ebourqui Posted July 13, 2006 Share Posted July 13, 2006 Hello all, I am using PayPal Express Checkout in my store (CC 3.0.10), and it works very well until the buyer is returned from the PayPal site to my store for the Confirmation Page. Here, they hit a small inconvenience, where if they have not checked the checkbox to Remember Me for their login, the Confirmation Page says "You must login to view this page." It seems a bit annoying to have to login again, just to see the "We got your order" page. I have found that line 68 of includes/session.inc.php is the culprit, setting the customer_id to 0 in the session, so that it no longer matches when they return: if(!isset($_COOKIE['ccRemember'])) { $sessData["customer_id"] = 0; } I have changed this to (one line): if(!isset($_COOKIE['ccRemember']) && strpos($sessData["location"], 'modules/gateway/ExpressCheckout/return.php?token=') == FALSE) { $sessData["customer_id"] = 0; } which then shows the user the proper Confirmation Page when they return. All this happens via HTTPS. Can someone with a more experienced, "big picture" view of CubeCart give me a quick assessment of whether this is the "right" way to do this, and if there are any security issues in this "fix"? Thanks for all the great support in these forums. Quote Link to comment Share on other sites More sharing options...
goober999 Posted July 13, 2006 Share Posted July 13, 2006 Hello all, I am using PayPal Express Checkout in my store (CC 3.0.10), and it works very well until the buyer is returned from the PayPal site to my store for the Confirmation Page. Here, they hit a small inconvenience, where if they have not checked the checkbox to Remember Me for their login, the Confirmation Page says "You must login to view this page." It seems a bit annoying to have to login again, just to see the "We got your order" page. I have found that line 68 of includes/session.inc.php is the culprit, setting the customer_id to 0 in the session, so that it no longer matches when they return: if(!isset($_COOKIE['ccRemember'])) { $sessData["customer_id"] = 0; } I have changed this to (one line): if(!isset($_COOKIE['ccRemember']) && strpos($sessData["location"], 'modules/gateway/ExpressCheckout/return.php?token=') == FALSE) { $sessData["customer_id"] = 0; } which then shows the user the proper Confirmation Page when they return. All this happens via HTTPS. Can someone with a more experienced, "big picture" view of CubeCart give me a quick assessment of whether this is the "right" way to do this, and if there are any security issues in this "fix"? Thanks for all the great support in these forums. Check all of the URLs in your configurations both http and https. Make sure that they are all the same. Example: http://www.yoursite.com https://www.yoursite.com If your url changes from http://www.yoursite.com to https://yoursite.com the cookie will be lost. If you find that the www is missing from one of your urls, change the code back, update the urls and then check the return from paypal. Thanks /Goober Quote Link to comment Share on other sites More sharing options...
Guest ebourqui Posted July 13, 2006 Share Posted July 13, 2006 I looked at my global.inc.php file, as well as the Secure URL settings under General Settings, and ensured that every URL has www. in front of it. As I go to the PayPal Express Checkout site, I am watching the session in the database, and see that the customer_id stays the same (non-zero), until I click the Confirm Payment button in PayPal. As the browser is returning to my site, I refresh my database viewer, and see that the customer_id has been changed to zero, and through some debugging, I see that the previously-mentioned line 68 is setting it to zero, because I don't have the ccRemember cookie set (which I am assuming is set by the Remember Me checkbox). if(!isset($_COOKIE['ccRemember'])) { $sessData["customer_id"] = 0; } What I can't figure out is why I can login to the store, then surf to other sites, then return to the store, and I am still logged in, but going to PayPal and back causes the customer_id to go to 0. I believe the session.inc.php file is being called in both cases, but only the PayPal case sets the customer_id to 0. Another interesting tidbit is that when I get returned to the Confirmation Page from PayPal, I edit the customer_id for the current session, in the database, back to the proper customer id, then hit refresh in the browser, and I see the Thanks For Your Order page, so the session variables and cookies are still correct. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.