Callbacks from a payment gateway

[kmdev]

Sorry if this is the wrong forum, but I couldn't find a general development forum...

I am building a payment extension for a gateway that uses a hosted payment page (so no collecting card details within zencart)

I can get the data posted over to the gateway, which can then collect the card details and authorize the transaction. Part of the auth process is that the results are sent back using a server-to-server callback method, not via the customers browser. The customer is returned to the site after the callback has completed.

I'm trying to use a callback URL like the following:

http://www.localhost.com/index.php?main_page=checkout_process&zenid=kk0mnfomq96lqimsifv3sgdb80

but that always gets a 302 results, with the details indicating that the session has timed out. The session has not timed out, as when the browser returns to

http://www.localhost.com/index.php?main_page=checkout_success&zenid=kk0mnfomq96lqimsifv3sgdb80

after the callback is made, that continues saying 'thanks for the order' etc (although the order process has not actually been completed)

The URL given by the redirect is:

Location: http://www.localhost.com/index.php?main_page=time_out&zenid=qbbe2hkok23fopavd3882amaq4

What can I do to get the checkout_process callback to actually work and call the payment module, rather than give this timeout error. Clearly the session has not actually timed-out, but I just can't get past this stage. Are there some extra params I need to add to the callback URL?

Thanks for any help, this has been driving me mad all day...

[DrByte]

1. You can't do a callback from an external location to "localhost" and have it reach your internal computer.

2. What you're attempting to do by passing the zenid in the URL is session hijacking. Really not a good thing to be doing. Probably triggering security checks and thus the timeout.

A callback should do a background process. It should NEVER hijack an active session already running between the customer's browser and the active store.

Instead, write some background logic to receive the callback notification and store some sort of validation code. Then when the original customer browser session is returned back to checkout_process it can fire the after_process() method and check that the expected validation code is truly valid and hasn't been spoofed by some hacker trying to trick the disconnected systems, and then finally proceed on to checkout_success (which it normally does after the after_process() method completes).

Offsite "hosted payment" services are nice insomuch as they leave the credit-card work to the hosted site. But YOU have to be VERY careful that what you do when interacting with such a service doesn't leave your site open to serious fraud issues. Make sure EVERYTHING is validated before EVER accepting any data back from either site of a callback without checking that BOTH sides have the expected info, and that neither could be hacked or spoofed merely by studying the code.

Using "hosted payment" services is NOT a magic pill. Way too many people think they're somehow the best thing since sliced bread, and smugly sit blind to the truth because they've been sold a (bad) bill of goods. They can actually be very dangerous if implemented incorrectly.

[kmdev]

The domain shown (www.localhost.com) is just a dummy address for this question, not the real domain...

What URL should actually be used for the callback then - I can't find any documentation anywhere on this, so when you say 'write some background logic' can you give any examples of how to do this. How can I pass params back that allow ZenCart to know which payment process module to use.

I'm not trying to address issues to do with data security (all that is well taken care off, using proper hashing and other checks) or get into any rights or wrongs about different payment methods... What I'm trying to find out exactly how to do the callback method in ZenCart.

I have done this in the past with other systems (such as Magento and CS-Cart) and have never ran into these sort of problems dealing with callbacks.

As the modules directory etc is restricted for direct access, I can't directly go to any new php file that could be created for this - how can I pass a value back to ZenCart that will get it to load and execute a specific php file - and then try and use that to update the order details before the browser is sent back to the site?

[vasaiflowers.com]

Any luck with this?

[palm]

I think the 'timeout' error is misleading.

We had this exact same problem with our callback 'timing out' - the problem we found in the end was added lines on some of our PHP files.

The SOLUTION was removing these added blank lines from the edited PHP files.

I am not sure which exact PHP files were edited, but this common problem of using an editor that adds blank lines to the end of a PHP file such as configure.php was the problem.

We wasted a couple of days with the misleading time out error. It does seem bizarre that adding blank lines to a PHP file should cause Zencart to fall over!

Hope this helps others.

[DrByte]

Blank lines after a closing ?> tag in a file will cause output to the browser, which prevents the ability for the code to do things it needs to do before any output is generated.

It's not Zen Cart "falling over" as much as it is bad practice by whomever is editing the files and leaving extra junk behind.

ref: https://www.zen-cart.com/tutorials/i...hp?article=313
and
https://www.zen-cart.com/tutorials/index.php?article=87

[palm]

What would be good is a built in utility in ZenCart that can scan all your PHP files to see if any file has any whitespace/blank lines after the files last ?>

This surely would be a huge help to many?