I'm struggling to complete a Amazon Pay transaction in PHP.
First of all I followed this guide https://developer.amazon.com/de/docs/amazon-pay-checkout/get-set-up-for-integration.html and implemented version 2 of Amazon Pay. For implementation I used the following PHP Amazon Pay SDK: https://github.com/amzn/amazon-pay-api-sdk-php
Up to point 4 (Set payment info) I got everything working. But here I am stuck. 4.2 says that the response contains an amazonPayRedirectUrl to which the user has to be redirected.
My problem is the following:
I am working with a kind of legacy software where there are a lot of forms in an online shop. When these forms are submitted they are always posting to the same url and depending on the payload data different views are loaded to proceed in the checkout process. When I am now redirecting the user via the generated amazonPayRedirectUrl (using header function of PHP) the user is redirected to the shops landing page (due to htaccess config) instead of the page/view which should logically follow in the checkout process because the redirect does not include the payload data of the submit form.
I already tried to save the needed checkout session id (which is appened as a query parameter to the amazonPayRedirectUrl) into the session to complete the transaction without redirecting the user but this does not work. When calling $client->completeCheckoutSession I get an error message in the response: InvalidCheckoutSessionStatus You tried to call an operation on a Checkout Session that is in a state where that operation is not allowed. The status of the checkout session in the response is "open" instead of "completed". I assume this error occurs because I did not redirect the user (not sure though).
What would be the best way to redirect the user to the correct logically following view/page in the checkout process? Do I somehow have to gather the submit data and do an ajax call including this payload data while calling the amazonPayRedirectUrl or how do I prevent being redirected to the shops landing page respectivly load the correct following view/form?
Thanks in advance!
Related
I have a wordpress store with woocommerce which has paypal payments enabled.
I'm developing a plugin that collects some data from the client on the cart page, stores that data in woocommerce session. Then client goes to paypal to pay, then after a successful payment gets redirected back to the site to the order confirmation page where my plugin is supposed to perform additional tasks.
This works well on my test site when I access it from my computer. It does not however work for me when I try it from my android phone.
The session "seems" to be lost when I come back from Paypal and none of the data is accessible through Woocommerce's WC()->session->get
Interestingly, the data is still there in the sessions table in the database, it just doesn't get loaded when I get redirected from Paypal.
In order to try to debug this, I wrote 2 lines of code in index.php where I'm writing to log the Cookie header every time the site is loaded. I can see the cookie data being logged when I navigate around the site.
However when the navigation back from paypal happens, the Cookie header is empty, so no wonder the session doesn't get loaded.
My question is, what can I do about it so that I can access the data after I get redirected back to the site.
PS - the trickiest part is that the issue is intermittent. I managed to find a laptop with a browser which behaved exactly as my android phone so I could inspect the issue easier, but after doing a couple of tests, it started being able to access the session data when navigating back from paypal to the site. So basically now "it's working" and I can't reproduce the issue again even after clearing all site data from the browser. But I know the issue still occurs for some people, outside my office.
I won't pretend to be an expert on third party cookie session preservation, but the bottom line is browsers are being more and more aggressive about dropping cookies when navigating away and back to a site, and so you shouldn't rely on this type of session preservation if the data you are saving is important.
The newest WooCommerce PayPal module uses the Express Checkout API, which generates an EC-################# before redirecting the user away, and you'll have this in the URL when they return from PayPal. So you can use this to keep track of the same user returning. But it also has support for Smart Payment Buttons so your site stays loaded in the background, which is a better experience anyway.
I've a security problem..
I've a paypal script that is in a page which get some php variables, those variables are the price of every product and the total of a cart. I have to be sure that the payment is complete but:
when the payment is authorized call a page via ajax that store the order in the database, the fact is that if someone call this page via link..the payment will result complete.
I hope that I've explained good..
If users login is needed to access the site, ultimately the page cannot be called by URL. Even if so, it would throw the error that the USER privilege is not accessed. This would solve one problem but the corner case where the logged user tries to access the file then it gives privileges and the same problem might raise.
Have you set the window object to be on-click. So that the ajax is triggered when the on-click event occurs.
Moreover, the code is needed to help you further with the issues.
I have a webpage on my website at www.example.com/complete.html
As it is right now, anyone can access this page by visiting the website through the URL.
When I set up my paypal payment buttons on my website, after the payment is successful, the user is redirected to www.example.com/complete.html
I don't want anyone to be able to access this page unless they are sent their by the paypal system. How can I do this?
See:
Auto Return and note the option to override with parameters you can use to check or verify upon return to your site.
Payment Data Transfer - which similarly allows you to check or verify upon return to your site/returnUrl
There are other ways depending on how you implement Paypal, but the idea is similar - you will need to check or verify data, either from Paypal, or something you expect back (as described in the Auto Return custom variable - e.g. Session ID that you check/compare when user comes back) before displaying some page on your site.
Hth..
I have written a PHP code. When a user submits the form, it saves all information in session and redirect user to PayPal Payment page. When user successfully makes Payment, Paypal sends user to Return path. The return path page gets values from session and enter user in database. But, after submitting the form if user manually visit Return path URL, it will save information in database without getting payment. Any solution for this?
Without sharing your code, it's difficult to give an accurate answer, but based upon what you've provided...
Paypal allows you to provide 2 URLs to it's submission, a return_url and a notify_url.
With the return_url, it should be for display only (e.g. www.website.com/order_complete/), and should NEVER have any functionality behind it, such as updating an order status for the exact reason you've asked the question. Therefore, when you query the order in the DB, it would still be marked as unpaid, and then you can put in the appropriate response.
Validating the order is what the notify_url is for (see https://developer.paypal.com/docs/classic/products/instant-payment-notification/ for more information). Basically, this does a checkback to paypal to confirm that the order you have attempted to make has actually gone through successfully, and then you do your DB updates (setting the order to complete).
The solution for you would be to remove the 'order updating' functionality from the return_url, and implement the IPN.
I am currently working on integrating a PHP/MySQL-based e-commerce website I manage with the RBS Worldpay payment gateway. Here is my problem:
A customer fills up his shopping basket and as he does so, the contents get stored in the $_SESSION global array as well as being stored in a cookie. When the customer checks out he gets sent to the Worldpay pages to put in his payment details. I am using the "Payment response"/callback feature to redirect a successful payment to my own page, "confirmation.php", which tells the customer all is well, plus does some database queries in the background.
All fine!
HOWEVER, I also at this point wish to empty the shopping cart data from the $_SESSION array as well as get rid of the cookie. So fine, I just use:
$_SESSION['cart'] = array();
setcookie('cart', '', 0, '/');
But this doesn't work. And it has to do with the fact that the URL for this redirected page is actually https://secure-test.wp3.rbsworldpay.com/wcc/purchase rather than www.mysite.co.uk/confirmation.php.
As a test, I had my confirmation page echo the phpinfo() and from the $_SERVER vars, everything seems to be fine, eg:
_SERVER["DOCUMENT_ROOT"] /var/www/vhosts/mysite.co.uk/httpdocs
_SERVER["SCRIPT_FILENAME"] /var/www/vhosts/mysite.co.uk/httpdocs/confirmation.php
_SERVER["SERVER_PROTOCOL"] HTTP/1.0
_SERVER["REQUEST_METHOD"] POST
_SERVER["QUERY_STRING"] installation=[xxxxxx]&msgType=authResult
_SERVER["REQUEST_URI"] /confirmation.php?installation=xxxxxx&msgType=authResult
_SERVER["SCRIPT_NAME"] /confirmation.php
_SERVER["PHP_SELF"] /confirmation.php
_SERVER["HTTP_USER_AGENT"] WJHRO/1.0 (WorldPay Java HTTP Request Object)
So it seems that because of the fact that the URL is pointing to a different domain, my script can't access the $_SESSION and $_COOKIE data, nor manipulate it. I don't know how this Worldpay system is doing it, it's not an iframe or anything like that, but I suspect it has to do with the user agent - "WJHRO/1.0 (WorldPay Java HTTP Request Object)"
Is anyone familiar with this? How can I get around this?
Thanks for reading!
Michael
When WorldPay finishes processing payment (remember: you do not know what customer did there as all operations with card details were performed on WorldPay's site) it sends a POST request to you informing with the outcome of transaction (accepted, rejected, customer cancelled etc). It is done directly from their servers and not from customer computer/browser, therefore you cannot match this request with your existing checkout session (I assume you are doing some e-commerce site here) that belongs to the customer.
When redirecting customer to WorldPay you need to pass additional information together with the required fields. Such fields have MC_ prefix and you can pass quite a few of them (I did this over 2 years ago and do not remember all the details).
You need to send enough info in those fields (but as less as possible and encrypt them) so when such POST request from WorldPay comes to your confirmation.php you extract those additional fields and restore the session (look towards session_id() and related functions) or something similar (depends how you implement your session handling; in case if session data is stored in DB -- that's even easier -- you can easily impersonate the session as long as you know session id) and continue with the checkout.
Keep in mind, that the output of your confirmation.php will be sent back to WorldPay and not to the customer. WorldPay will process that page first and then display it to the customer. Therefore this page should be VERY simple (very basic interface otherwise some tags can be removed by WorldPay) and it should just redirect your customer back to your website (for example, to real_confirmation.php) where you will have full access to the customer session etc and you will show the proper confirmation page. You can achieve such redirect with simple JavaScript or metatag (e.g. <meta http-equiv="refresh" content="2;url=http://www.example.com/real_confirmation.php">).
You have to double check this as it was over 2 years as I have coded this and do not currently have all the code with me and situation/rules could change since then (P.S. we are no longer using WorldPay and therefore I cannot confirm that my code would 100% work now -- they may have done changes to the whole process since then).