View Issue Details

IDProjectCategoryView StatusLast Update
0006933module PayPal Plusmodule PayPal Plus - subpublic2018-12-18 10:05
Status acknowledgedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0006933: IE compatibility mode in PPP widget causes session swap by coming back to shop
Descriptionppp: 2.0.4
shop: 4.10.7

In the paypal-modul this scenario works well, because of **rtoken** parameter in all backlinks:

[oxid-esales/paypal-module oePayPalDispatcher::_getBaseUrl](


class paypPayPalPlusConfig extends paypPayPalPlusSuperCfg


     * Get a clean base URL of an active (sub-)shop suitable to pass to PayPal API.
     * @return string
    public function getShopBaseLink()
        $remoteToken = oxRegistry::getSession()->getRemoteAccessToken();
        $url = $this->getShop()->getConfig()->getShopSecureHomeURL() . "rtoken={$remoteToken}&";
        return (string) str_replace('&', '&', $url);

TagsNo tags attached.



2018-12-17 13:25

administrator   ~0012743

Please let us know how to reproduce the behaviour you describe, as it is not clear exactly what is meant.


What should be replaced in your fix?
   return (string) str_replace('&', '&', $url);


2018-12-17 15:06

reporter   ~0012744

please take a closer look to the methods:


1. IE 11, oxid 4.10.7 (but i'm pretty sure its also broken in the 6x branch), paypalplus 2.0.4, enable debug mode
2. drop some items in the basket => index.php?cl=payment
3. select any paypalplus payment method => continue
4. now you should be forwarded to the paypal payment page:
5. here you will be automatically switched to the compatibility mode (your browser sends now a modified user-agent header)
6. click on the cancel button or any other backlink to your shop
7. back to your shop, the oxSession::start will detect that your user-agent header has changed and will initialize a new session

The workaround/fix is to add a rtoken parameter to all relevant urls of PayPal\Api\RedirectUrls.
The method oxSession::getRemoteAccessToken and its counterpart oxSession::_isValidRemoteAccessToken seem to be implemented
exactly for this edge case. This approach is successfully used in the paypal-module, but not yet in the paypalplus-module.

Nothing should be replaced. The parameter "rtoken={$remoteToken}&" should be added to the base url.
Just compare my method with the original one (paypPayPalPlusConfig::getShopBaseLink) .