Automatically submit the payment redirect form on the Payment checkout page

Can we assume that the "Off-site payment redirect" item is the only one on the "Payment" pane?
I tested with adding both the "Payment" and "Off-site payment redirect" items on the same "Payment" pane (see http://grab.by/9QTC)
But that doesn't seem to really work, as selecting another payment method doesn't change the button redirect target.
If that's not supposed to work, then I could go ahead and try to fix this.
If you're supposed to be able to change the payment method at that point, it might get tricky...

The JS redirect approach is the usual trick for off-site payments, if you need a "POST" request. (e.g. Magento does it in this way.)

Subscribing

It is not a problem, because the integration leads perhaps anyway to a negative behavior. The following case describe the reason why:

External payment service provider (PSP) like Ogone, PayPal and others exist, because of the payment card industry (PCI) certification (http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard). This certification is required to store and process payment information (credit card number, card holder ...). This certification is really expensive, so many online stores outsource this. The outsourcing partner in this case is a PSP.

Normally the credentials (credit cart informations) are entered on the PSP website. The other case is you create a form on your site which collects the information. But the form must be send directly to the PSP. This means you have an URL of your PSP in the "action" attribute of the form.

In this special case the javascript redirect would be a problem, because on the payment page you need some additional fields. The JS redirection prevents the customer from entering the data. The JS redirection should be optional, this allows also the handling of more complex PSP's.

The problem is the storage of the credit card information on your side is not allowed. If you collect them on previous pages you need to store them in a way. For example in a cookie, in the session or in database. This is not allowed. In Switzerland (my most known market) there exists only one payment service provider, which allows the above described scenarios (Datatrans). The others are very similar to Ogone.

hunziker: Collecting information on previous pages can easily persist that information without storing it in a session. For example, the credit card information is entered into a form which is then posted to another form, which issues the javascript redirect.

@aidanlis: This completely wrong. If you post any form, the data is sent to the server. If now the server loads the data again (for putting into the next form), you have stored it already in your memory. The PCI restrictions are here very clear, you are not allowed to do that things.

If you are using an external (off-site) payment provider, you are most likely not storing credit card information anyway, because as hunziker points out, storing it (unencrypted) is not allowed in most countries AFAIK.

But I don't understand the problem that hunziker points out in #6 (http://drupal.org/node/1110334#comment-4383464). Can you elaborate?

The way I see it:
On the 1st (checkout) page you enter your full name, address, etc...
On the 2nd (payment) page you have a form which has these values from the previous page as hidden form elements, and one visible "Proceed with payment" button. When the button is clicked, the form is submitted to the payment provider (such as Ogone, Paypal, etc..) because the "action" attribute of the form is set to that external site.
Now what the functionality as described in this issue would do is, through JS, automatically submit that form on the 2nd page.
I don't see what that has to do with credit card info or the like... It's just to avoid a blank page with one button...

Or am I missing something?

Sven

@svendecabooter: In most cases you are absolutely correct. But there exists payment providers which allows you as store owner to submit in the parameters the credit card information. You replace some of the hidden fields to normal text fields. The customer can then enter the credit card information on your side. The processing is then only a redirect to the PSP and back. Normal user see no difference with a processing in the background. Therefore we should make the js redirection optional, so the payment module can control the redirection. This is my point, nothing more.

Alright i get it...
Making it optional makes sense.
Now let's make sure there is some functionality, so we can actually make it optional ;)

I am on @hunziker side here. This should be factored out in core, but called *by* the payment driver implementation.

I'm not sure what my side is, but I am happy about your assistance.

For the moment I think its enough if we make this optional. All other problems with the described integration, we can consider if we get to the point we get stuck.

sub

How about this approach: we provide the JS to automatically submit the form and we give it as an option for payment method implementations?

#21 works... but at least on my site, you have time to see the button "Proceed to Paypal". I believe people will probably have the possibility to click on the button before the Javascript submit, which might create some issues...

There are no issues if a user submits the form before it is automatically submited. The only thing that we can do about it is to change the message and inform the user about this.

Something like.. "If the page doesn't automatically redirect within 10 seconds, use the button below to proceed to the payment server."

amateescu > I agree with you. The same patch as yours, which changes the help message if needed...

I thought about hiding the button too but in the end, I think it's better to leave it (along with a message explaining that the user will be redirected) so that users who don't have JS enabled can still proceed to the payment page...

Guys - thanks for your work on this. Guillaumev, your patch doesn't include the .js file at the moment - is it meant to?

gebjohn > I forgot to include the js file in fact, here is a new patch with the file included...

Maybe I am missing something here but is there a reason why the submit to external payment cannot be on the checkout page? Submitting to external payment requires a particular payment method such as Paypal WPS. Can't the existence of a given payment method add a field to the checkout form?

Makes total sense, thank you again.

Works as expected, both with auto redirect enabled, and disabled in the payment method info hook.

This extra setting probably still needs extra documentation for people implementing payment method modules (e.g. on http://www.drupalcommerce.org/specification/info-hooks/payment and the likes)

[spam deleted]

reverting title, spammer blocked, spam deleted.