Session Expires when returning from Payment Gateway for a second time

[RickyDicky]

Hi,

I am having issues with the Paystation Module. After correctly installing and setting up the module I receive the same error with all attempted transactions.

When "Confirm Order" is selected on the final checkout page (Page 3 of 3) I am redirected back to the Payment Information Page (Page 2 of 3) with the error "Paystation returned with the following error:".

I have also tried using the DPS Zen cart mod, which returned a similar error, directing me back to Page 2. However, now when I enable DPS PxPay it does not even appear in the list of payment choices...

As both modules are failing, in very similar ways I am guessing that this is probably not and issue with Paystation or DPS, but an issue with my installation of zen cart.

Any help/pointers in the right direction would be greatly appreciated as i'm stumped

Running Zen Cart 1.5.1, Tableau Theme, Various Addons installed

[RickyDicky]

Hmm no responses...

I have been trying to work this out for a couple of days now with no joy I have been trying to recreate the issue on a new instance of Zen Cart, but am struggling. Totally baffled.

Any ideas anyone? Is it likely to be caused by two or more modules not being compatible?

[RickyDicky]

I am having an issue with the Paystation payment module and my cart, although I am not confident that it is an issue with the module.

When a customer places and order, proceeds to the payment gateway and enters details which fail (e.g. insufficient funds) they are returned to the checkout page. This is fine and works as it should, but when the customer then goes to pay again and enters correct details their account is charged and instead of returning to the checkout success page they are directed to the session expired/log in timeout page.

Anyone have any ideas as to why the session is expiring. I have tried a few things, such as making sure suhosin is not enabled and various different settings in admin/config/sessions to no avail.

The return url set at my gateway is http://www.mywebsite.co.nz/index.php...eckout_success which I believe is correct as it works the first time.

[RickyDicky]

Hmm, I still haven't got anywhere with this. I have tried a few more ideas that have been gained from reading, but with no joy. I thought it may be an issue with the php config, but alas.

Can anybody shine any light on to how the timeout process works? What can cause it, apart from lapsed time? Is it a security thing?

Also, could this be to do with SSL certs? I do not currently have one installed, but find it hard to imagine this would be the problem as the transaction works the first time.

Thanks for any help/advice.

[lat9]

I'm not familiar with your payment method, but the usual return URL for a successful payment is https://www.yoursite.com/index.php?m...eckout_process.

[RickyDicky]

Thanks for the response. The return URL has been changed, but I am still experiencing the issue.

I have been looking at the cookies generated in hope of finding a solution, but again to no avail. When the timeout occurs the cookie contsainging the zenid is still present, and valid. Are session timeouts controlled by cookies? or have I got the wrognt end of the stick here?

I have also installed SSL certs just encase that was causing the problem.
Here is my admin/config/sessions:

Session Directory /var/www/zencart/cache
Cookie Domain True
Force Cookie Use False
Check SSL Session ID False
Check User Agent False
Check IP Address False
Prevent Spider Sessions True
Recreate Session True
IP to Host Conversion Status true
Use root path for cookie path False
Add period prefix to cookie domain False

This all looks good to me, but maybe someone can spot something...

[RickyDicky]

If you wish to recreate the issue then follow these step:
go to the site www.akin.co.nz
place an order for an item that will fail (any item that ends .99 will fail as part of the testing environment)
follow the checkout all the way to the Error stage
choose to pay again
enter payment details again
session will timeout on return

For testing please use these card details:
[Mastercard]
card number=5123456789012346
expiry date=0517
CSC: 100

Note that any order that ends in .99cents with fail. For success an order must end in .00 (the item Test is $1.00)

Hope this helps to make the issue clearer.

[DrByte]

...but when the customer then goes to pay again and enters correct details their account is charged and instead of returning to the checkout success page they are directed to the session expired/log in timeout page.

Are they *really* only hitting the checkout_process page 2 times? Or is the system (including any background things the paystation module is doing) actually triggering more than 3 hits to the page?

There's a credit-card-slamming protection in checkout which logs the customer out if they've failed payment more than 3 times.
(And ya, hackers love it when I divulge this tasty fact publicly like this so they can find ways to exploit it.)

Try changing the 3 to 10 in this line (around line 38 likely) in /includes/modules/checkout_process.php:

Code:

if ($_SESSION['payment_attempt'] > 3) {

[RickyDicky]

Tada! Thanks so much, your a star.

Sorry for making you divulge secrets :/

Is it secure to leave this set to 10? I will probably set it to 5 for production anyway. I am guessing it would just make it more vulnerable to a brute force attack, and I don't imagine someone cracking it particualy easily, even if they can try 5 times before timeout.

Thanks again!

[DrByte]

They're not trying to crack your site. They're "slamming" ... which means they're taking their stolen credit card numbers and using your site to test whether they can be charged ... and you pay a fee for every attempted credit card check your site visitors make.

You can set the number to whatever you like. The number simply slows down the abuse by forcing a logout and the need to start all over again in their shopping attempt.