Jump to content

Bug fix for PayPal Express Checkout

Guest ebourqui

By Guest ebourqui
in Technical Help

 Share

Recommended Posts

Guest ebourqui

Guest ebourqui

Posted
Posted

Hello all, I am using PayPal Express Checkout in my store (CC 3.0.10), and it works very well until the buyer is returned from the PayPal site to my store for the Confirmation Page. Here, they hit a small inconvenience, where if they have not checked the checkbox to Remember Me for their login, the Confirmation Page says "You must login to view this page." It seems a bit annoying to have to login again, just to see the "We got your order" page.

I have found that line 68 of includes/session.inc.php is the culprit, setting the customer_id to 0 in the session, so that it no longer matches when they return:

if(!isset($_COOKIE['ccRemember'])) { $sessData["customer_id"] = 0; }

I have changed this to (one line):

if(!isset($_COOKIE['ccRemember']) && strpos($sessData["location"], 'modules/gateway/ExpressCheckout/return.php?token=') == FALSE) { $sessData["customer_id"] = 0; }

which then shows the user the proper Confirmation Page when they return. All this happens via HTTPS.

Can someone with a more experienced, "big picture" view of CubeCart give me a quick assessment of whether this is the "right" way to do this, and if there are any security issues in this "fix"?

Thanks for all the great support in these forums.

Link to comment
Share on other sites

goober999 Newbie

goober999

Posted
Posted

Hello all, I am using PayPal Express Checkout in my store (CC 3.0.10), and it works very well until the buyer is returned from the PayPal site to my store for the Confirmation Page. Here, they hit a small inconvenience, where if they have not checked the checkbox to Remember Me for their login, the Confirmation Page says "You must login to view this page." It seems a bit annoying to have to login again, just to see the "We got your order" page.

I have found that line 68 of includes/session.inc.php is the culprit, setting the customer_id to 0 in the session, so that it no longer matches when they return:

if(!isset($_COOKIE['ccRemember'])) { $sessData["customer_id"] = 0; }

I have changed this to (one line):

if(!isset($_COOKIE['ccRemember']) && strpos($sessData["location"], 'modules/gateway/ExpressCheckout/return.php?token=') == FALSE) { $sessData["customer_id"] = 0; }

which then shows the user the proper Confirmation Page when they return. All this happens via HTTPS.

Can someone with a more experienced, "big picture" view of CubeCart give me a quick assessment of whether this is the "right" way to do this, and if there are any security issues in this "fix"?

Thanks for all the great support in these forums.

Check all of the URLs in your configurations both http and https. Make sure that they are all the same.

Example:

http://www.yoursite.com

https://www.yoursite.com

If your url changes from http://www.yoursite.com to https://yoursite.com the cookie will be lost.

If you find that the www is missing from one of your urls, change the code back, update the urls and then check the return from paypal.

Thanks

/Goober

Link to comment
Share on other sites
Guest ebourqui

Guest ebourqui

Posted
Posted

I looked at my global.inc.php file, as well as the Secure URL settings under General Settings, and ensured that every URL has www. in front of it.

As I go to the PayPal Express Checkout site, I am watching the session in the database, and see that the customer_id stays the same (non-zero), until I click the Confirm Payment button in PayPal. As the browser is returning to my site, I refresh my database viewer, and see that the customer_id has been changed to zero, and through some debugging, I see that the previously-mentioned line 68 is setting it to zero, because I don't have the ccRemember cookie set (which I am assuming is set by the Remember Me checkbox).

if(!isset($_COOKIE['ccRemember'])) { $sessData["customer_id"] = 0; }

What I can't figure out is why I can login to the store, then surf to other sites, then return to the store, and I am still logged in, but going to PayPal and back causes the customer_id to go to 0. I believe the session.inc.php file is being called in both cases, but only the PayPal case sets the customer_id to 0.

Another interesting tidbit is that when I get returned to the Confirmation Page from PayPal, I edit the customer_id for the current session, in the database, back to the proper customer id, then hit refresh in the browser, and I see the Thanks For Your Order page, so the session variables and cookies are still correct.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...