Hi. We recently saw a duplicate order get authorized by Authorize.net. In tracing the issue some questions have come up.
I see that a random six letter string is appended to the order_id ('x_invoice_num') when submitting a transaction to Authorize.net. I see in the code in '/includes/modules/payment/authorizenet_aim.php' a comment that says it's 'unwise' to submit duplicate order ids to Authorize.net.
However it appears to me that appending the random string thwarts Authorize.net's built-in duplicate order prevention scheme as Authorize.net sees each order as unique based on the unique order_id/x_invoice_num, even if they are indeed duplicates (see http://www.authorize.net/kb.asp?page...p%3Fkbid%3D381 for more detail). It seems we're circumventing a valuable feature of Authorize.net.
Further, it's not it's clear to me why it's 'unwise' to submit duplicate a 'x_invoice_num' but in any event am I correct in assuming that the only circumstance where this would occur is where two orders are submitted simulataneously (or, more precisely, within the time frame of when we post to Authorize.net, get the return value, and insert the new order in the orders tables)? From my reading of the Authorize.net kb article, two transactions with the same 'x_invoice_num' value would be considered distinct if any of the other fields they validate are distinct.
With this in mind I am considering modifying the authorizenet_aim.php module to remove the random string. I believe this will prevent duplicate orders from being authorized at the gateway. However, before making this mod, I'd like to
get some feedback from the community.
By the way, I am adding new javascript code, as seen in this post (https://www.zen-cart.com/forum/showt...t=95195&page=4) to disable the submit image button during post.
To sum up, why is it 'unwise' to submit the order_id/x_invoice_num without the random string appended? What's the risk in removing the random string appended to the order_id/x_invoice_num
Thanks.
Bookmarks