View Issue Details

Jump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0003370OXID eShop (all versions)4.02. Session handlingpublic2011-11-15 19:342011-11-22 15:37
Reportersteffifrost Assigned To 
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionwon't fix 
Product Version4.4.8 revision 34028 
Summary0003370: getSessionChallengeToken() - returns an empty string [Support-Ticket #1224857] AND [Bug Ticket 0003320]
DescriptionHi,

i put the key facts of 0003320 to this ticket, cause you closed it as non-english before.
Please also have a look at Supput ticket #1224857 (prepared in english as well)
+ + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + +

Before the user is sent (with Mozilla 5) to Paypal your - user agent check - recognizes the following user agent:

[HTTP_USER_AGENT] => Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)

After finishing payment process and returning to the shop SAME user (without closing browser or changing it) is recognized as:

[HTTP_USER_AGENT] => Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Result: Oxid destroys the session

+ + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + +

Thank you and best regards
Steffi
TagsNo tags attached.
Attached Files
modutilsserver.php (154 bytes)
ThemeBoth
BrowserAll
PHP Versionany
Database Versionany

Activities

svetlana

2011-11-16 15:20

reporter   ~0005389

Reminder sent to: steffifrost

Hi,
Could you please tell us which version of Paypal do you use?

steffifrost

2011-11-16 16:07

reporter   ~0005390

hi svetlana,
this bug report references to https://bugs.oxid-esales.com/view.php?id=3320, you closed as non english. We reopened it as english version because the reporter FC HB references to our open support ticket #1224857 (i copied it for you at the end of this note*1). So finally i don't know which paypal version is used, cause we use payon. Nevertheless i think it doesn't matter because FC HB described a mistake within your user agent check.

for the sake of completeness: we use payon request version 1.0

*1) #1224857
[...] after upgrading from 4.2.0 to 4.4.8 we are struggling with following problem: our credit card agency (payon) does a callback to a specified url when payment is done. although we adding parameters "force_sid", "stoken" and "rtoken" with proper values to this callback-url we are facing a strange behaviour of "getSessionChallengeToken()" when session is started: this method returns an empty string. we also checked that - sid stays the same - oxsession::_isSwappedClient() returns false properly it isn't a specific problem of payon system, cause it works fine before updating the eshop system. in addition other customer recognized same problems - orginal ticket: https://bugs.oxid-esales.com/view.php?id=3320 english version can be found here: https://bugs.oxid-esales.com/view.php?id=3370

arvydas_vapsva

2011-11-22 13:11

reporter   ~0005432

Last edited: 2011-11-22 13:13

 as a quick fix can be disabled agent check code, which drops session. See attached file. To install it:
- upload it to modules folder using FTP client;
- go to "admin >Master Settings > Core Settings > System > Modules";
- append modules with "oxutilsserver => modutilsserver".

arvydas_vapsva

2011-11-22 13:13

reporter   ~0005433

Reminder sent to: steffifrost

please check last comment

dainius.bigelis

2011-11-22 15:37

reporter   ~0005435

Reminder sent to: steffifrost

Hi,

This case in general is hard to handle, because the response about browser agent can be changed even from browser itself or by proxy server. In general best solution would be to change the behavior in the eShop, that user is kept under SSL all the time, since he logs into the shop or does any session stored action, like adding item to basket. But for that more changes are needed in default handling and templates. We included this topic for more detailed discussion and we'll decide how to solve that case in best way. For now - please use this module, attached to the bug entry, which disables the browser agent check at all.

Best regards,