Lost session at confirmation page (lost orderid)

Questions around the TYPO3 integration and plugins
Forum rules
Always add your TYPO3, Aimeos and PHP version as well as your environment (Linux/Mac/Win)
Spam and unrelated posts will be removed immediately!
rvhelp2
Posts: 29
Joined: 29 Oct 2022, 10:10

Lost session at confirmation page (lost orderid)

Post by rvhelp2 » 09 Feb 2024, 13:19

Hello,

We have MPay24 as our payment provider. When a user makes a payment, we send a push notification and update the order. However, when a user is redirected back to our Typo3 11, the order ID is no longer contained in the session and the error message mentioned in the title is displayed. We have already set cookieSameSite as a variable in Typo3 (BE & FE).

This happens since December 2023.

Code: Select all

Lost session at confirmation page
Array
(
[MAGICK_TEMPORARY_PATH] => /usr/home/website/.tmp
[TMPDIR] => /usr/home/website/.tmp
[PHP_FCGI_MAX_REQUESTS] => 100000
[PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[PHPRC] => /home/httpd/php74-ini/website
[PWD] => /home/httpd/cgi-bin
[MAGICK_TMPDIR] => /usr/home/website/.tmp
[CONTENT_LENGTH] => 0
[HTTP_CONNECTION] => close
[SCRIPT_NAME] => /index.php
[REQUEST_URI] => /produkte/shop/confirm?action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
[QUERY_STRING] => action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
[REQUEST_METHOD] => GET
[SERVER_PROTOCOL] => HTTP/2.0
[GATEWAY_INTERFACE] => CGI/1.1
[REDIRECT_QUERY_STRING] => action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
[REDIRECT_URL] => /produkte/shop/confirm
[REMOTE_PORT] => 52187
[SCRIPT_FILENAME] => /usr/www/users/website/website.com/index.php
[SERVER_ADMIN] => webmaster@website.com
[CONTEXT_DOCUMENT_ROOT] => /usr/www/users/website/website.com
[CONTEXT_PREFIX] =>
[REQUEST_SCHEME] => https
[DOCUMENT_ROOT] => /usr/www/users/website/website.com
[REMOTE_ADDR] => 213.47.100.23
[SERVER_PORT] => 443
[SERVER_ADDR] => 116.202.200.217
[SERVER_NAME] => website.com
[SERVER_SOFTWARE] => Apache
[SERVER_SIGNATURE] => <address>Apache Server at website.com Port 443</address>

[HTTP_HOST] => website.com
[HTTP_SEC_FETCH_USER] => ?1
[HTTP_SEC_FETCH_SITE] => none
[HTTP_SEC_FETCH_MODE] => navigate
[HTTP_SEC_FETCH_DEST] => document
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_DNT] => 1
[HTTP_ACCEPT_ENCODING] => gzip, deflate, br
[HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
[SSL_TLS_SNI] => website.com
[HTTPS] => on
[H2_STREAM_TAG] => 42226-5245-15
[H2_STREAM_ID] => 15
[H2_PUSHED_ON] =>
[H2_PUSHED] =>
[H2_PUSH] => on
[H2PUSH] => on
[HTTP2] => on
[CWD] => /
[REDIRECT_STATUS] => 200
[REDIRECT_SSL_TLS_SNI] => website.com
[REDIRECT_HTTPS] => on
[REDIRECT_H2_STREAM_TAG] => 42226-5245-15
[REDIRECT_H2_STREAM_ID] => 15
[REDIRECT_H2_PUSHED_ON] =>
[REDIRECT_H2_PUSHED] =>
[REDIRECT_H2_PUSH] => on
[REDIRECT_H2PUSH] => on
[REDIRECT_HTTP2] => on
[REDIRECT_CWD] => /
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1707423575.9154
[REQUEST_TIME] => 1707423575
[argv] => Array
(
[0] => action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
)

[argc] => 1
)

User avatar
aimeos
Administrator
Posts: 7854
Joined: 01 Jan 1970, 00:00

Re: Lost session at confirmation page (lost orderid)

Post by aimeos » 14 Feb 2024, 15:24

The browser (almost always Google Chome) didn't send the TYPO3 FE session cookie to the server after being redirected from the payment provider website. Setting "cookieSameSite" to "none" may improve the situation but we came to the conclusion that Chrome's behavior is buggy.
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, Image give us a star

rvhelp2
Posts: 29
Joined: 29 Oct 2022, 10:10

Re: Lost session at confirmation page (lost orderid)

Post by rvhelp2 » 21 Feb 2024, 14:08

Is there a possible Workaround or something like that? Like sending a Hash to Mpay and then use the hash in the success url to verify rather than session order id? how can i add a property to order, set("hash" $hash) can be called up directly afterwards but not at the confirm: $unconfirmed_order = \Aimeos\Controller\Frontend::create( $context, 'order' )->get( $unconfirmed_orderid, false );

User avatar
aimeos
Administrator
Posts: 7854
Joined: 01 Jan 1970, 00:00

Re: Lost session at confirmation page (lost orderid)

Post by aimeos » 23 Feb 2024, 10:28

A possible workaround might be to pass the unique ID hash of the session in the URL that is returned by the payment provider. As long as this is the only place where it's done, security implications should be manageable. The only problem will be how to get that unique ID and force TYPO3 to use it if it's part of the URL (which we guess it will refuse to do so by default).
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, Image give us a star

stiller
Posts: 86
Joined: 05 Mar 2016, 15:59

Re: Lost session at confirmation page (lost orderid)

Post by stiller » 15 Mar 2024, 10:01

We are facing the same problem.
You hardly get feedback from customers but the log reveals several "Lost session at confirmation page - orderid missing" entries.
User Agent varies. Chrome is not the only affected browser.
Payment is handled by the included PayPal service provider.
"cookieSameSite" set to "none".
TYPO3 latest 11.5
Aimeos 22.10.8

User avatar
aimeos
Administrator
Posts: 7854
Joined: 01 Jan 1970, 00:00

Re: Lost session at confirmation page (lost orderid)

Post by aimeos » 18 Mar 2024, 09:56

"cookieSameSite: none" solves the issue most of the time but not always and we don't know why.
Which other browsers are also affected? Are Firefox and Safari among them?
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, Image give us a star

stiller
Posts: 86
Joined: 05 Mar 2016, 15:59

Re: Lost session at confirmation page (lost orderid)

Post by stiller » 18 Mar 2024, 17:55

mostly Chrome [Android/Windows]
but also Firefox
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0

stiller
Posts: 86
Joined: 05 Mar 2016, 15:59

Re: Lost session at confirmation page (lost orderid)

Post by stiller » 20 Mar 2024, 12:37

we're are experiencing this error (and a lost order) almost every day now.
this is an unfortunate situation
any further ideas on this? can I help with more information?

User avatar
aimeos
Administrator
Posts: 7854
Joined: 01 Jan 1970, 00:00

Re: Lost session at confirmation page (lost orderid)

Post by aimeos » 20 Mar 2024, 14:11

It seems to happen mostly with a few of our supported payment providers, most often Datatrans. Don't know if the reason is related to what they do on their side.
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, Image give us a star

stiller
Posts: 86
Joined: 05 Mar 2016, 15:59

Re: Lost session at confirmation page (lost orderid)

Post by stiller » 21 Mar 2024, 14:31

In our case the provided paypal service is affected.
that's why we are worried.
if a shop owner does not check the logs, he will hardly find out that this is happening.
could the cookie manager have an impact on this?

Post Reply