Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Many clients are reporting issues while paying with Vipps as they are getting 403 Access denied when returning back from Vipps payment (whether it's successful or cancelled payment). Order is kept locked and there's no way for client to resume it. This issue was reported upstream in #3051241: User is sent to 403 page after successful payment (anonymous checkout).
Basically Vipps forces #return_url on default browser rather than the browser initiating payment request. Cart is not attached to that browser's session as it was initiated from different browser or in-app browser.
Comment | File | Size | Author |
---|---|---|---|
#7 | 3105358-7.patch | 10.84 KB | zaporylie |
| |||
#4 | 3105358-4.patch | 10.05 KB | zaporylie |
| |||
#3 | 3105358-3.patch | 10.66 KB | zaporylie |
#2 | 3105358-2.patch | 9.55 KB | zaporylie |
Comments
Comment #2
zaporylieThe idea to mitigate this issue is to attach cart to the current session based on unique vipps auth key. Once used key expired. It also expires once user returns back from Vipps even if keeping same browser/session. All attempts to use incorrect key are logged with critical severity.
Comment #3
zaporylieComment #4
zaporyliecommerce_cart is tricky to use in tests (as per comment in CartManagerTestTrait::installCommerceCart()) so avoiding it for now by setting service as abstract if cart module is missing.
Comment #5
eiriksmDo you have steps to reproduce this to test it out?
Comment #6
zaporylieSteps to reproduce can be found in related issue #3051241: User is sent to 403 page after successful payment (anonymous checkout)
Comment #7
zaporylieAdded logging for each successful cart session attachment
Comment #9
zaporylie