I'm building an ecommerce website, and have had a problem with two different payment gateways. Visitors enter their card details and then leave to the 3D Secure step, which requires visiting their bank's website. When they return from that, they have no cookies on our website, and we cannot recognize them to link up the order.
With one payment gateway, this results in the order failing; with the other, the payment comes through, but is not linked to any specific account or products purchased. Clearly, both of these are problems.
I know that plenty of browsers clear cookies on closing the browser, but I'm not aware of any that clear cookies just because you've left the site for a moment. (Furthermore, on one of the two payment gateways, the 3D Secure step is done in an iframe, so the user hasn't even left the site.) It's the user's session which is disappearing.
Concrete questions:
Is it common for session cookies to be this volatile? This is behaviour I've been unable to replicate myself. Is there some common browser setting or addon which aggressively (and prematurely) deletes session cookies?
Might there be something else causing the effects I'm seeing?
Might there be something else causing the effects I'm seeing?
In this kind of scenario, these days it often has to do with the SameSite attribute of the session cookie.
The Strict value will prevent cookies from being send in any requests initiated by third party websites. When users are getting redirected back to your site from the payment gateway, that is “navigation” from a 3rd-party site then, and the cookies get not send; so your own session can not be picked up at that point.
Related
I'm writing a website where the user logs in through conventional means. The login creates session variables so the site knows if and who is logged in.
There are products on the site that sell through Stripe. For ease I'm using Stripe's payment links. So you click a link on my site, it then visits Stripe's site to enter card details, then back to mine on checkout success.
My question is this: Are the session variables guaranteed to stay through that diversion so the user is still logged in when their payment is successful and they've been to Stripe and back or should I pass the customer id, etc. through the payment process and recreate all the session variables again once they arrive on the success page?
Yes and no...
The important thing to remember is that HTTP is completely stateless - every request is completely independent of any previous ones. As far as the web server is concerned, every time the user loads a new page that's equivalent to them "going away and coming back". Sessions work by telling the browser to associate a cookie with a particular domain, and then using that cookie to recognise that two requests came from the same user. As long as that cookie is still there, it doesn't matter if the user has visited another site in between, or opened a new browser window, or whatever.
However, it's a good idea to plan for what will happen if the cookie isn't there when they come back: customers tend to get very annoyed if you take the payment but don't complete the order. Another scenario to consider is that the payment completes but for whatever reason the user doesn't get redirected back at the end of the payment process (I've had this happen with malfunctioning security software on the user's PC, for instance).
A good approach if you can manage it is therefore to create a "pending" order in your system, with all the details of who was logged in and what they were trying to buy. Then you have a single ID you can pass through Stripe and receive for a successful payment. If the session disappears, you still know which order to confirm; and if orders get stuck in "pending" status for a long time, you can check in Stripe if a payment was actually made, and sort the order out manually.
I'm testing a new Magento site. I see each time a customer selects a product, if cookies are NOT enabled, they are unable to add product to the cart. Searching for a solution, I found a message that can be enabled to popup telling the customers cookies need to be enabled.... That's great but if a customer doesn't want to enable cookies a sale is lost.
Is there a away to disable Magento from even checking if you have cookies enabled or disabled? In other words, I don't care if the customers have cookies enabled or disabled.
Or is that the way Magento is created- Meaning it was created to check cookies in order to add product(s) to cart?
In order to maintain sessions so the cart will work when cookies are not being accepted by the client, you will have to enable SID with the Use SID on Frontend setting on the System=>Configuration=>Web=>Session Validation Settings section.
This adds an SID= parameter to the URL string.
Play with the above to see if it's stable enough in your environment to do what you're attempting to do, it's normally intended for use on sites that have certain issues when switching from insecure http to secure https or have the secure domain on a separate domain from the insecure content domain and is expected to be a supplement to SID cookies.
Magento expects cookies to be passed because you need to maintain state in order to have a cart remember who you are. This is done by establishing a session and then exchanging a cookie token back and forth so the customer/webserver interaction all connects together during the cookie lifetime. Things usually go south pretty quickly if you don't allow cookies to be set and you start having issues like Magento creating a new cart every time something is added to the cart, disappearing cart contents and general inability to use customer accounts.
Because of the new EU cookie law, i need to implement a cookie solution on my site. I wan't to make a simple pop-up, wich tells the user we use cookies, and a button they can click "agree" on. My problem is just, that my site is setting cookies all over the site, so i need to make to popup box, somehow, before placing the cookies. Is there any way you can make a pop-up, and then first when it's closed, it will execute the rest of the PHP code?
Thank you!
In all my projects I allow cookies by default on the first page, I display the pop-up and if the user reject I delete cookies and do not use any cookie anymore.
It depends on your website, but I think you don't need to block a part of your website until the user accept cookies and use a "standard" way.
Also what you want to achieve is not very good for SEO.
If you redirect your user to another page crawlers won't be able to check your website, and if all pages redirect to the same page you will have a very bad ranking.
Update:
It is not required to block all cookies as mentionned in the EU cookie law (e-Privacy Directive) since June 2012:
European data protection authorities opinion In June 2012, European
data protection authorities (as part of the Article 29 Working Party)
adopted an opinion which clarifies that some cookie uses might be
exempt from the requirement to gain consent:
Some cookies can be exempted from informed consent under certain
conditions if they are not used for additional purposes. These cookies
include cookies used to keep track of a user’s input when filling
online forms or as a shopping cart, also known as session-id cookies,
multimedia player session cookies and user interface customisation
cookies, eg language preference cookies to remember the language
selected by the user. First party analytics cookies are not likely to
create a privacy risk if websites provide clear information about the
cookies to users and privacy safeguards, eg a user friendly mechanism
to opt out from any data collection and where they ensure that
identifiable information is anonymised.
I am working on a new PHP application that will allow users to register for an account in order to use my service. I want the website to comply with the new legislation that has come to the UK to provide visitors to the site, to enable or disable the use of cookies on their first visit.
I'm not entirely sure though what the best way to implement this. If I can't store a cookie how would I keep track whether the user is visiting the site for the first time in order to display the message, or if it is not the first visit, then not display the cookie message.
Thanks for any help you can provide.
The law is mainly concerned with 3rd party cookies. Yours is a first party cookie and these are generally assumed to be ok. You should be fine with a notice on your site specifying that you are using cookies and if people don't like that, they should get off your site (Possibly worded more politely)
From ico's own recommendations:
First party analytics cookies are not likely to create a privacy risk if websites provide clear information about the cookies to users and privacy safeguards, eg a user friendly mechanism to opt out from any data collection and where they ensure that identifiable information is anonymised.
Also note that it's not really a law - it's an EU directive and it's not really enforced.
One should distinguish between session-cookies and other cookies:
Session-cookies will be removed as soon as the user closes the browser, they are important to get a secure session handling and will increase the privacy of the user. It would be absurd to forbid those cookies.
Persistent cookies, especially those of 3rd parties, can live a long time in the user's browser. They are often misused to collect information about the user, so the user should be asked whether he allows such cookies. Unfortunately only honest websites will ever care about this law/recommendation.
EDIT:
I found a description of exceptions in the ICO cookies guidance which seem to legitimate pure session-cookies:
There is an exception to the requirement to provide information about
cookies and obtain consent where the use of the cookie is:
(a) for the sole purpose of carrying out the transmission of a
communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the
provision of an information society service requested by the
subscriber or user.
...This exception is likely to apply, for example, to a cookie used to
ensure that when a user of a site has chosen the goods they wish to
buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button,
the site ‘remembers’ what they chose on a previous page. This cookie
is strictly necessary to provide the service the user requests (taking
the purchase they want to make to the checkout) and so the exception
would apply and no consent would be required.
EDIT2:
Should you ask the user to store non-session-cookies and he doesn't allow to store them, then keep this information in your session, but ask him again when he returns with another session. It is his choice then to get this message whenever the browser was closed.
It's a php based web store without user logins because all of the payments are handled via paypal. My question is what would you guys suggest for the shopping cart - cookies, sessions, or both? I'm not too concerned with the longevity of the shopping cart's contents be I'd like for the user to be able to click around and do a few things before they commit the order. I'm leaning towards sessions because some people may still disable cookies on their machines.
PHP sessions use a cookie with the session id to track the user. I would go with sessions since it will handle all of the identification for you and make things easier and more transparent.
It is also possible to use sessions with no cookies and it will pass the session id around in the URL. That in some cases can be a security risk, but perhaps not so much in your situation.
By default, PHP sets a cookie on the visitor's browser to know which session id to use anyway, so the only real difference between the three options in the end would be how much data gets sent up to your server during the request.
That being said, you can also use sessions without cookies by making sure to add ?session_id={session_id();} to all of your internal links and the following to the beginning of every page:
if (isset($_GET ['session_id'])
session_id($_GET ['session_id'])
session_start();
So, recommend using sessions.