Duplicate transactions authorize.net AIM

[badarac]

Client running the following environment:

HTML Code:

Server OS: Linux 3.12.52-20160119.106.ELK6.x86_64    	Database: MySQL 5.5.42-37.1-log
HTTP Server: Apache
PHP Version: 5.2.17 (Zend: 2.2.0)

The client is reporting occasional duplicate transactions using Authorize.net. I have debug on and can provide the transaction logs which were written 18 seconds apart. Here is a redacted log from the server.

Code:

[08/Aug/2016:05:50:29 -0600] "GET /includes/templates/cmt/buttons/english/button_change_address.gif HTTP/1.1" 200 900 "https://www.domain.com/index.php?main_page=checkout_shipping" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:50:29 -0600] "GET /includes/templates/cmt/buttons/english/button_continue_checkout.gif HTTP/1.1" 200 2197 "https://www.domain.com/index.php?main_page=checkout_shipping" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:50:38 -0600] "POST /index.php?main_page=checkout_shipping HTTP/1.1" 302 863 "https://www.domain.com/index.php?main_page=checkout_shipping" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:50:40 -0600] "GET /index.php?main_page=checkout_payment HTTP/1.1" 200 12522 "https://www.domain.com/index.php?main_page=checkout_shipping" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:50:40 -0600] "GET /includes/templates/cmt/images/icons/cc1.gif HTTP/1.1" 200 1061 "https://www.domain.com/index.php?main_page=checkout_payment" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:50:40 -0600] "GET /includes/templates/cmt/images/icons/cc2.gif HTTP/1.1" 200 1253 "https://www.domain.com/index.php?main_page=checkout_payment" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:50:40 -0600] "GET /includes/templates/cmt/images/icons/cc5.gif HTTP/1.1" 200 1509 "https://www.domain.com/index.php?main_page=checkout_payment" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:51:55 -0600] "POST /index.php?main_page=checkout_confirmation HTTP/1.1" 302 1297 "https://www.domain.com/index.php?main_page=checkout_payment" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:51:56 -0600] "GET /index.php?main_page=checkout_payment HTTP/1.1" 200 12505 "https://www.domain.com/index.php?main_page=checkout_payment" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:51:56 -0600] "GET /includes/templates/cmt/images/icons/error.gif HTTP/1.1" 200 916 "https://www.domain.com/index.php?main_page=checkout_payment" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:52:23 -0600] "-" 408 193 "-" "-"
 [08/Aug/2016:05:52:23 -0600] "POST /index.php?main_page=checkout_confirmation HTTP/1.1" 200 11767 "https://www.domain.com/index.php?main_page=checkout_payment" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:52:24 -0600] "GET /includes/templates/cmt/buttons/english/small_edit.gif HTTP/1.1" 200 740 "https://www.domain.com/index.php?main_page=checkout_confirmation" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:52:24 -0600] "GET /includes/templates/cmt/buttons/english/button_confirm_order.gif HTTP/1.1" 200 1973 "https://www.domain.com/index.php?main_page=checkout_confirmation" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:52:29 -0600] "POST /index.php?main_page=checkout_process HTTP/1.1" 302 167 "https://www.domain.com/index.php?main_page=checkout_confirmation" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:52:47 -0600] "POST /index.php?main_page=checkout_process HTTP/1.1" 302 1244 "https://www.domain.com/index.php?main_page=checkout_confirmation" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:53:08 -0600] "GET /index.php?main_page=checkout_success&zenid=removed HTTP/1.1" 200 10858 "https://www.domain.com/index.php?main_page=checkout_confirmation" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:53:09 -0600] "GET /includes/templates/cmt/buttons/english/button_logoff.gif HTTP/1.1" 200 1476 "https://www.domain.com/index.php?main_page=checkout_success&zenid=removed " "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:53:09 -0600] "GET /includes/templates/cmt/buttons/english/button_update.gif HTTP/1.1" 200 1476 "https://www.domain.com/index.php?main_page=checkout_success&zenid=removed " "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
 [08/Aug/2016:05:53:43 -0600] "-" 408 193 "-" "-"

Any thoughts?

[DrByte]

"POST main_page=checkout_shipping" 302 863 "main_page=checkout_shipping" "GET main_page=checkout_payment" 200 12522 "main_page=checkout_shipping"
"POST main_page=checkout_confirmation" 302 1297 "main_page=checkout_payment"
"GET main_page=checkout_payment" 200 12505 "main_page=checkout_payment"
"POST main_page=checkout_confirmation" 200 11767 "main_page=checkout_payment"
"POST main_page=checkout_process" 302 167 "main_page=checkout_confirmation"
"POST main_page=checkout_process" 302 1244 "main_page=checkout_confirmation"
"GET main_page=checkout_success&zenid=removed" 200 10858 "main_page=checkout_confirmation"

The two hits to checkout_process are triggered by an action on checkout_confirmation. And the 99% likely cause of that is the customer clicking the Submit button a 2nd time, presumably because it seemed to not be completing.

The default ZC template disables the checkout_confirmation submit button upon clicking it, but some addon templates/javascript break that and thus allow the user to click submit multiple times thus triggering multiple payments.


I recommend both of the following:
a) fix the disable-submit-button-on-click (or rewrite it to work with your custom template)
b) given that you said this site is using the old v1.5.1 version it might be encountering timeouts with Authorize.net's conversion to new server systems. They'd initially said the rollout wouldn't require changing the URL, but then changed their mind about the rollout schedule, so maybe your old site is having delays processing payments because it's using the old URL. You can change it as shown here: https://github.com/zencart/zencart/pull/997/files

[badarac]

The two hits to checkout_process are triggered by an action on checkout_confirmation. And the 99% likely cause of that is the customer clicking the Submit button a 2nd time, presumably because it seemed to not be completing.

The default ZC template disables the checkout_confirmation submit button upon clicking it, but some addon templates/javascript break that and thus allow the user to click submit multiple times thus triggering multiple payments.

This site is using an unmodified checkout_confirmation_default.php from the template_default shipped with 1.5.1. It contains the onsubmit="submitonce();" and that is in the javascript in modules/pages/checkout_confirmation. It looks like the timeout is set to 4 seconds. Is there any downside to setting it to something higher like 20 seconds? I suspect that the reason this is such an intermittent problem is that there are performance issues on this hosting account.

I recommend both of the following:
a) fix the disable-submit-button-on-click (or rewrite it to work with your custom template)
b) given that you said this site is using the old v1.5.1 version it might be encountering timeouts with Authorize.net's conversion to new server systems. They'd initially said the rollout wouldn't require changing the URL, but then changed their mind about the rollout schedule, so maybe your old site is having delays processing payments because it's using the old URL. You can change it as shown here: https://github.com/zencart/zencart/pull/997/files

The url was already changed but I did notice a big difference in the line numbers. I'm assuming what you pointed me to was the source for 1.5.5 and that accounts for the difference. Anything about that I should worry about?

[mc12345678]

I'm not chiming in on the worry or not part at this point, but the fact that the latest ZC version reportedly works in an environment such as this, any such worry could be resolved by upgrading the site with the added suggestion to then upgrade the php version after the software/database upgrade.

[lat9]

I came across a couple of issues with a.net/AIM's handling in ZC 1.5.5a on my way to "One-Page Checkout". One, for instance, is that there's an incorrect jQuery selector in the checkout_payment page, so the form could be submitted twice since the submit-button's not disabled on-click.

Remember, too, that the "accepts card data on-site" handling for a.net/AIM was introduced in Zen Cart 1.5.4. A "properly working" a.net/AIM transaction never "sees" the checkout_confirmation page; the confirmation is handled by the in-page (on checkout_payment) AJAX confirmation.

[badarac]

I'm not chiming in on the worry or not part at this point, but the fact that the latest ZC version reportedly works in an environment such as this, any such worry could be resolved by upgrading the site with the added suggestion to then upgrade the php version after the software/database upgrade.

Yup I know it's back level but it's not my website. I just fix it when it breaks. If this is a problem with a lousy hosting account upgrading to 1.5.5a might not solve the problem and an upgrade to php 7 might not be possible.

[badarac]

I came across a couple of issues with a.net/AIM's handling in ZC 1.5.5a on my way to "One-Page Checkout". One, for instance, is that there's an incorrect jQuery selector in the checkout_payment page, so the form could be submitted twice since the submit-button's not disabled on-click.

Remember, too, that the "accepts card data on-site" handling for a.net/AIM was introduced in Zen Cart 1.5.4. A "properly working" a.net/AIM transaction never "sees" the checkout_confirmation page; the confirmation is handled by the in-page (on checkout_payment) AJAX confirmation.

Thanks I'll keep that in mind on newer builds. Since 1.5.1 keys on btn_submit that shouldn't be an issue here. I changed the timing to 20 seconds and it seems to be working fine on the site so far. I'll update after it's run for a while with the results.

[mc12345678]

Yup I know it's back level but it's not my website. I just fix it when it breaks. If this is a problem with a lousy hosting account upgrading to 1.5.5a might not solve the problem and an upgrade to php 7 might not be possible.

Understood. Was thinking even 5.5 or 5.6 for php version. Better than 5.2. :)

[badarac]

Understood. Was thinking even 5.5 or 5.6 for php version. Better than 5.2. :)

Agreed. I'm surprised the hosting company hasn't pushed them to go to a higher level but...

[DrByte]

It's usually better to upgrade "now" while it's not being "forced upon them" due to a sudden unannounced PHP change, etc.


Glad you found a workaround to your immediate presenting problem.