Lost session at confirmation page (lost orderid)

Questions around the TYPO3 integration and plugins
Forum rules
Always add your TYPO3, Aimeos and PHP version as well as your environment (Linux/Mac/Win)
Spam and unrelated posts will be removed immediately!
rvhelp2
Posts: 29
Joined: 29 Oct 2022, 10:10

Lost session at confirmation page (lost orderid)

Post by rvhelp2 » 09 Feb 2024, 13:19

Hello,

We have MPay24 as our payment provider. When a user makes a payment, we send a push notification and update the order. However, when a user is redirected back to our Typo3 11, the order ID is no longer contained in the session and the error message mentioned in the title is displayed. We have already set cookieSameSite as a variable in Typo3 (BE & FE).

This happens since December 2023.

Code: Select all

Lost session at confirmation page
Array
(
[MAGICK_TEMPORARY_PATH] => /usr/home/website/.tmp
[TMPDIR] => /usr/home/website/.tmp
[PHP_FCGI_MAX_REQUESTS] => 100000
[PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[PHPRC] => /home/httpd/php74-ini/website
[PWD] => /home/httpd/cgi-bin
[MAGICK_TMPDIR] => /usr/home/website/.tmp
[CONTENT_LENGTH] => 0
[HTTP_CONNECTION] => close
[SCRIPT_NAME] => /index.php
[REQUEST_URI] => /produkte/shop/confirm?action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
[QUERY_STRING] => action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
[REQUEST_METHOD] => GET
[SERVER_PROTOCOL] => HTTP/2.0
[GATEWAY_INTERFACE] => CGI/1.1
[REDIRECT_QUERY_STRING] => action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
[REDIRECT_URL] => /produkte/shop/confirm
[REMOTE_PORT] => 52187
[SCRIPT_FILENAME] => /usr/www/users/website/website.com/index.php
[SERVER_ADMIN] => webmaster@website.com
[CONTEXT_DOCUMENT_ROOT] => /usr/www/users/website/website.com
[CONTEXT_PREFIX] =>
[REQUEST_SCHEME] => https
[DOCUMENT_ROOT] => /usr/www/users/website/website.com
[REMOTE_ADDR] => 213.47.100.23
[SERVER_PORT] => 443
[SERVER_ADDR] => 116.202.200.217
[SERVER_NAME] => website.com
[SERVER_SOFTWARE] => Apache
[SERVER_SIGNATURE] => <address>Apache Server at website.com Port 443</address>

[HTTP_HOST] => website.com
[HTTP_SEC_FETCH_USER] => ?1
[HTTP_SEC_FETCH_SITE] => none
[HTTP_SEC_FETCH_MODE] => navigate
[HTTP_SEC_FETCH_DEST] => document
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_DNT] => 1
[HTTP_ACCEPT_ENCODING] => gzip, deflate, br
[HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
[SSL_TLS_SNI] => website.com
[HTTPS] => on
[H2_STREAM_TAG] => 42226-5245-15
[H2_STREAM_ID] => 15
[H2_PUSHED_ON] =>
[H2_PUSHED] =>
[H2_PUSH] => on
[H2PUSH] => on
[HTTP2] => on
[CWD] => /
[REDIRECT_STATUS] => 200
[REDIRECT_SSL_TLS_SNI] => website.com
[REDIRECT_HTTPS] => on
[REDIRECT_H2_STREAM_TAG] => 42226-5245-15
[REDIRECT_H2_STREAM_ID] => 15
[REDIRECT_H2_PUSHED_ON] =>
[REDIRECT_H2_PUSHED] =>
[REDIRECT_H2_PUSH] => on
[REDIRECT_H2PUSH] => on
[REDIRECT_HTTP2] => on
[REDIRECT_CWD] => /
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1707423575.9154
[REQUEST_TIME] => 1707423575
[argv] => Array
(
[0] => action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
)

[argc] => 1
)

User avatar
aimeos
Administrator
Posts: 7796
Joined: 01 Jan 1970, 00:00

Re: Lost session at confirmation page (lost orderid)

Post by aimeos » 14 Feb 2024, 15:24

The browser (almost always Google Chome) didn't send the TYPO3 FE session cookie to the server after being redirected from the payment provider website. Setting "cookieSameSite" to "none" may improve the situation but we came to the conclusion that Chrome's behavior is buggy.
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, Image give us a star

rvhelp2
Posts: 29
Joined: 29 Oct 2022, 10:10

Re: Lost session at confirmation page (lost orderid)

Post by rvhelp2 » 21 Feb 2024, 14:08

Is there a possible Workaround or something like that? Like sending a Hash to Mpay and then use the hash in the success url to verify rather than session order id? how can i add a property to order, set("hash" $hash) can be called up directly afterwards but not at the confirm: $unconfirmed_order = \Aimeos\Controller\Frontend::create( $context, 'order' )->get( $unconfirmed_orderid, false );

User avatar
aimeos
Administrator
Posts: 7796
Joined: 01 Jan 1970, 00:00

Re: Lost session at confirmation page (lost orderid)

Post by aimeos » 23 Feb 2024, 10:28

A possible workaround might be to pass the unique ID hash of the session in the URL that is returned by the payment provider. As long as this is the only place where it's done, security implications should be manageable. The only problem will be how to get that unique ID and force TYPO3 to use it if it's part of the URL (which we guess it will refuse to do so by default).
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, Image give us a star

Post Reply