View Issue Details

IDProjectCategoryView StatusLast Update
0006933module PayPal Plusmodule PayPal Plus - subpublic2018-12-18 10:05
Reporternaehwelt Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status acknowledgedResolutionopen 
Summary0006933: IE compatibility mode in PPP widget causes session swap by coming back to shop
Descriptionppp: 2.0.4
shop: 4.10.7

In the paypal-modul this scenario works well, because of **rtoken** parameter in all backlinks:

[oxid-esales/paypal-module oePayPalDispatcher::_getBaseUrl](https://github.com/OXID-eSales/paypal/blob/eb7d0ea23621696602bad3a767becfb3f0e8eb31/source/modules/oe/oepaypal/controllers/oepaypaldispatcher.php#L121)

workaround/fix:

```php
class paypPayPalPlusConfig extends paypPayPalPlusSuperCfg

...

    /**
     * Get a clean base URL of an active (sub-)shop suitable to pass to PayPal API.
     *
     * @return string
     */
    public function getShopBaseLink()
    {
        $remoteToken = oxRegistry::getSession()->getRemoteAccessToken();
        $url = $this->getShop()->getConfig()->getShopSecureHomeURL() . "rtoken={$remoteToken}&";
        return (string) str_replace('&', '&', $url);
    }

...
```
TagsNo tags attached.

Activities

QA

2018-12-17 13:25

administrator   ~0012743

Please let us know how to reproduce the behaviour you describe, as it is not clear exactly what is meant.

Step1
Step2
...

What should be replaced in your fix?
   return (string) str_replace('&', '&', $url);

naehwelt

2018-12-17 15:06

reporter   ~0012744

1.
please take a closer look to the methods:

oxSession::_isSwappedClient
oxSession::_checkUserAgent
oxSession::getRemoteAccessToken

1. IE 11, oxid 4.10.7 (but i'm pretty sure its also broken in the 6x branch), paypalplus 2.0.4, enable debug mode
2. drop some items in the basket => index.php?cl=payment
3. select any paypalplus payment method => continue
4. now you should be forwarded to the paypal payment page: https://www.paypal.com/webapps/hermes?country=DE&useraction=continue&token=...&country.x=DE&locale.x=de_DE
5. here you will be automatically switched to the compatibility mode (your browser sends now a modified user-agent header)
6. click on the cancel button or any other backlink to your shop
7. back to your shop, the oxSession::start will detect that your user-agent header has changed and will initialize a new session

The workaround/fix is to add a rtoken parameter to all relevant urls of PayPal\Api\RedirectUrls.
The method oxSession::getRemoteAccessToken and its counterpart oxSession::_isValidRemoteAccessToken seem to be implemented
exactly for this edge case. This approach is successfully used in the paypal-module, but not yet in the paypalplus-module.


2.
Nothing should be replaced. The parameter "rtoken={$remoteToken}&" should be added to the base url.
Just compare my method with the original one (paypPayPalPlusConfig::getShopBaseLink) .