Attach cart to session if user is on mobile and Vipps forces different app [#3105358]

Many clients are reporting issues while paying with Vipps as they are getting 403 Access denied when returning back from Vipps payment (whether it's successful or cancelled payment). Order is kept locked and there's no way for client to resume it. This issue was reported upstream in #3051241: User is sent to 403 page after successful payment (anonymous checkout).

Basically Vipps forces #return_url on default browser rather than the browser initiating payment request. Cart is not attached to that browser's session as it was initiated from different browser or in-app browser.

Comment	File	Size	Author
#7	3105358-7.patch	10.84 KB	zaporylie
#7	8.x-4.x: PHP 7.1 & MySQL 5.5, D8.9 6 pass
#4	3105358-4.patch	10.05 KB	zaporylie
#4	8.x-4.x: PHP 7.1 & MySQL 5.5, D8.9 6 pass
#3	3105358-3.patch	10.66 KB	zaporylie
#3	8.x-4.x: PHP 7.1 & MySQL 5.5, D8.9 2 pass, 6 fail
#2	3105358-2.patch	9.55 KB	zaporylie
#2	8.x-4.x: PHP 7.1 & MySQL 5.5, D8.9 2 pass, 6 fail

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

9 January 2020 at 13:47

zaporylie created an issue. See original summary.

Comment #2

zaporylie

he/him

Polish

CreditAttribution: zaporylie at Ny Media AS commented 9 January 2020 at 14:23

Status:

Active

» Needs review

File	Size
3105358-2.patch	9.55 KB
8.x-4.x: PHP 7.1 & MySQL 5.5, D8.9 2 pass, 6 fail

The idea to mitigate this issue is to attach cart to the current session based on unique vipps auth key. Once used key expired. It also expires once user returns back from Vipps even if keeping same browser/session. All attempts to use incorrect key are logged with critical severity.

Comment #3

zaporylie

he/him

Polish

CreditAttribution: zaporylie at Ny Media AS commented 10 January 2020 at 10:54

File	Size
3105358-3.patch	10.66 KB
8.x-4.x: PHP 7.1 & MySQL 5.5, D8.9 2 pass, 6 fail

Comment #4

zaporylie

he/him

Polish

CreditAttribution: zaporylie at Ny Media AS commented 10 January 2020 at 13:26

File	Size
3105358-4.patch	10.05 KB
8.x-4.x: PHP 7.1 & MySQL 5.5, D8.9 6 pass

commerce_cart is tricky to use in tests (as per comment in CartManagerTestTrait::installCommerceCart()) so avoiding it for now by setting service as abstract if cart module is missing.

Comment #5

eiriksm

he/him

Norwegian Bokmål

Norway

CreditAttribution: eiriksm at Ny Media AS, Violinist commented 10 January 2020 at 13:36

Do you have steps to reproduce this to test it out?

Comment #6

zaporylie

he/him

Polish

CreditAttribution: zaporylie at Ny Media AS commented 10 January 2020 at 13:52

Steps to reproduce can be found in related issue #3051241: User is sent to 403 page after successful payment (anonymous checkout)

Comment #7

zaporylie

he/him

Polish

CreditAttribution: zaporylie at Ny Media AS commented 14 January 2020 at 12:46

File	Size
3105358-7.patch	10.84 KB
8.x-4.x: PHP 7.1 & MySQL 5.5, D8.9 6 pass

Added logging for each successful cart session attachment

Comment #8

17 January 2020 at 10:47

zaporylie committed b7b54fa on 8.x-4.x

Issue #3105358 by zaporylie: Attach cart to session if user is on mobile...

Comment #9

zaporylie

he/him

Polish

CreditAttribution: zaporylie at Ny Media AS commented 20 January 2020 at 07:09

Status:

Needs review

» Fixed

Comment #10

3 February 2020 at 07:09

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Attach cart to session if user is on mobile and Vipps forces different app

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Related issues

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community