Here is the situation. My company has an e-commerce store, but we don't gather or process credit card information ourselves. When a user selects "Pay with credit card", they are immediately taken to the payment site, and then that site processes their credit card and sends the status back to us so that the order can be marked paid. Our site runs on ColdFusion, and it receives the data from the site as form data, processes the form variables, and creates an order for the customer, marked as paid. The credit card site only sends the information once, and there is no "handshake".
In the last month and a half we have been having an issue where occasionally we are not getting the information from the credit card processing site, although they say they have sent it. Hence orders are not being created, and products are sitting in customers' carts, even though the credit card has been charged. This problem is intermittent. We can't tie it to any server changes on our side, and the credit card site denies changes on their side.
So among the things we are trying to do is to log when the customers are actually trying to pay by credit card (so we can catch the missed ones more easily). So I want to somehow log the event when someone clicks "Pay with credit card." Issue is that form action submits the data to the credit card site. The only way I can think of to do this, is to change the form action to a page on our site, log the payment attempt, and then submit the form again to the credit card company. I know I can submit a form automatically with JavaScript, but that seems like a bad solution (what if JS is turned off?), but don't know how it would be possible to do server-side.
Please try to avoid solutions that involve AJAX if possible, as I know very little about it (I am a very rookie web developer in general, and just inherited this whole set-up).
Better solutions for how to log this event, or suggestions in general for this mess, will be greatly appreciated!
Responses to comments:
To Sam Dufel:
Would love to change to another provider like Paypal. Unfortunately my company is actually part of a university and we all have to use the same payment gateway.
To flup:
Would using a 301 or 302 status code preserve the form data? I tried looking this up, and it looks like it works with "get", but I need it to be sent with "post", since that is what the payment gateway is expecting.
To imthepitts:
We receive it as form data.
To Revent:
The issue is that orders aren't getting created at all (so customer and order information is just sitting in the temporary basket/customer/order tables). It seems like the page that is supposed to process the form data from the payment gateway isn't being accessed. I have added some logging to that page, but my company is so freaked out that they have disabled credit card payments and so I am not getting any data. If I can convince them that I have implemented a good logging solution to identify bugged orders quickly, they will turn it back on.
To Laksma:
We are using a unique identifier that is sent back. What I meant by handshake is some way of the payment gateway verifying that they have made a connection with our server. Maybe I was using the word incorrectly. Thank you for the suggestion of the log on the receiving page- I have added that.
To Nenotlep:
I know I said no AJAX, but I would like to hear more about your idea. Would the call to the logging page interfere with the form submission at all? I'm assuming it would be set up so that the function would trigger on the "onclick" event for the form button, and then form submission would proceed as normal? If it is easy to set up, then maybe that would be a good way of doing it.
I'm thinking of trying Sanjeev's solution, since that is similar to what I was planning to do anyway, but I actually would like to hear more about the AJAX idea if it is really that simple, mainly because it won't change the customer experience at all (unlike seeing the redirecting screen).
Additional response to steve:
I appreciate your input, and normally I love teaching myself new things, but I am just way too overwhelmed right now to even think about tackling a new technology.
I work on a payment gateway and had the same problem as yours. This was my solution -
Post the values to a intermediate page called as 'requestHandler.cfm'.
requestHandler.cfm saves the values into database table.
Continue to creates a <form> with all the required values as <input hidden>. Place a submit button and also JavaScript to fire 'submit' in say 2 seconds. Also put a note that, "If the page does not refresh in some time, click the submit button". As you are not going to do any validation on the form, a 'submit' button will just submit the form with or without JavaScript being active.
The Creditcard company will process the information and reply back with the values to a 'responseHandler.cfm' page.
I shall update my data based on the 'primarykeyvalue' sent to them. (Or just any reference that can identify the user)
Database table sample
The TransactionID will be '0' by default and will change to the number given by the credit card company
The paid flag which is default 'N' shall change to 'Y'
The Actual amount is what I have sent to be charged on the user credit card.
The Paid Amount should match the actual amount. This is to help me find if the details are tampered in any case by the user or middle man.
Handshake:
When a user is taken to the payment site, you should include a unique identifier to distingush the order, such as OrderID. Your payment provider must have some custom fields for your own use. Then, when the user is taken back to your site, the payment site response data should include the OrderID. That way you can match them. In other words, "handshake" is occured.
Intermittent successful payment:
On the listener, the page where the payment provider returns form data, you should implement a log to record from where the page is called and what data is sent.
"... is to change the form action to a page on our site, log the payment attempt, and then submit the form again to the credit card company." This is a doable solution.
Related
An order confirmation email is sent for canceled/failed payments
User reach to the payment gateway, when reached to the cart after selecting final and reach to the payment page and user cancel the order but a successful email sent to the user did somebody face this issue before my open cart version 3.0
didn`t check the code yet, please tell me,
2) My website home page icons change into some encrypted boxes whenever some body visit my website first time later on user go in and visit some other pages and revisit the website home page, icons looks fine ,i refer so many links, even try to make changes in .htaccess file as well but nothing works,is there any way that i can fix it,i am providing my website site link,if you want because this issue never comes on local server,enter image description here,enter image description here
First thing that comes to mind is the order states options (system -> settings -> options). What state do the orders get when a payment is cancelled? Is the state unchecked for the 'order ready' states in the options?
This mainly depends on payment extension. Payment extension is responsible of setting correct order_status_id depending from 'error', 'failed', 'not completed' methods.
Sometimes, payment module has incorrect return callback links.
Again, check payment module methods.
On the site that I'm developing we need to track the last visited page for each user (users login to the site). What's the best way to do this? We are already using a custom profile so adding a new field is easy. The site will not have a lot of traffic so updating this field wont be an issue, i think. Are there better ideas? Does sitecore already offers something that we can possible use?
OMS has a "Top Exit Pages" report by default... but that is tracked across sessions, not users.
A good IIS log parser should also be able to give you this information... again, that would be by session (or IP) and not logged in user.
If you really want to get every exit page AND filter by logged in user... what I would do is add a new pipeline processor to httpRequestBegin, and place it after the ItemResolver. Then save the Item.Paths.Path. I would advise against writing this data to the user Profile if you are using the default ASP.NET Profile handler and you have a decent amount of traffic, because it is highly inefficient. Roll your own simple storage solution here, or just dump the data to a log.
My first question would be: Why do you need only the last visited page of the user? What are you trying to determine?
In a lot of cases, you are probably starting down an analytics route, or perhaps even trying to drive some marketing.
If the analytics is what you are going for, you can probably just pop an event out to your google analytics account with the current username as an event variable to allow you to look at analytics by user and by page. Alternatively, you could use the Sitecore OMS/DMS features for tracking all that data and looking at the analytics there.
If you are looking at driving marketing, you probably want to use OMS/DMS, especially if you want to start getting into personalization or engagement plans. OMS/DMS will track user activity, and all the pages they visit, though not by user account. With some customizations, you can probably add that data in, but it will depend on what you are trying to use the information for. The username may not be what is important to you.
If, however, you just want to know what page to send the user back to after logging them in, it would be better to just store that in session or pass as a post parameter if session is not a viable option for you.
I need to be able to pass identifying information through to Authorize.net's server so I can use this information when the confirmation comes back for logging purposes. We have information such as IDs for the items we sell on our site, and I'd like to have Authorize.net's response include this information to plug into our database along with the rest of the transaction data that Authorize.net's API natively supplies. Sort of like "merchant-private-data" in Google Checkout carts.
The only field I see that doesn't hold some other specific information in Authorize.net's API is x_description. My question is does the data in x_description get displayed to the customer at any point? The information I'd like to include is sensitive and not for customer's eyes. I've been over the API documentation provided by Authorize.net and it's not clear to me what is done with this field.
If this field is not private, is there a better solution to my problem which I am not seeing?
Dig through their list of API fields and see what you can use. If you want to build a list of line items, for example, look at their x_line_item field. If you're using the AIM/CIM SDK and not telling Authorize.net to e-mail a receipt then I don't see how the customer would see anything you submit to Authorize.net besides the charge on their credit card. If your customer does receive an e-mail directly from Authorize.net though, they will most likely see everything you submit. But double-check the docs I linked to be sure.
You have x_description, but also x_invoice_num and x_po_num. These fields are for the internal use of the merchant. The fields x_description and x_invoice_num can be set in the virtual terminal, if you use it to submit transactions, and also via the API. Authorize.net will return them in the response. If you set any of these two fields in an automatic recurring billing subscription, it will be returned in each individual payment response. They might be included in the email receipt also - I never used the authorize.net email receipt to the buyer. You can disable this email receipt and send your own email receipt.
I know x_description gets sent in plain text to the merchant's email, so I wouldn't use it for anything too sensitive. The description does not, however, appear on my credit card statement (as a customer).
There is another field you can use, refId. It's not well documented, but what you pass in refId will be returned in the response object as refId.
Personally, I recommend creating a database table to store your data, and then use refId to keep track of the insert ID.
I have a page where user is asked only for the payment amount, then user will be redirected to another website where the payment will be processed, I want the amount to be set on the redirected page without using querystring,cokkie, etc..
I tried to use web service but here is my challange:
user enters amount on the website.
webservice is called and set the amount to ex:400$
then user is redirected without any query string to another website.
Now:
how this payment website will know that this user is the user entered 400$ on the redirecting page?
I can count on approaches more secure than this also.
thanks
I have made some research on net and asked my experienced friends, the answer is "impossible" this way.
Because redirected website somehow identify that user and there is no solution without querystrings or browser related components,
Here is my friend's advice and i am little bit satisfied, not totally :)
He calls this approach as ticketing,
First create a datetime.now integer, with that number add id and amount of money to be processed.
Then make a complex function to encrypt data. take square of every odd digit then divide to 7 etc.
then on the other website, decrypt data and check datetime if its within 5 minutes for example,
the link is valid.
You have to pass the data to the other website somehow.
Cookies wouldn't work due to domain restrictions.
Query string or form posts could work, but you don't want to use query strings.
Alternatively, if both sites share infrastructure, you could use that to share information - for example if they both have access to the same database, you could use that to share data (though you would still need to identify the specific user to both sites).
The way the service would have to work is to give back some token, probably a GUID, that the site will then look for in the querystring of an HTTP request, to identify the owner of that pre-populated data. You then tack that token onto your redirect, and the client makes a request that causes the payment site to go pull the pre-loaded data for that client.
You still have to use a query string, but now, the query string doesn't contain any human-consumable information; they can't identify their $400 amount in the query string and change it to a different amount of money. If they change the GUID at all, the request will most likely fail as that GUID won't exist in whatever datastore of pre-populated data exists behind the payment site.
Contact the website/web service/gateway. They will provide you the API which will define parameters and methods to accept payment amount. If you are the author of such service, provide mechanism to accept such parameters from your caller application. Communication should be secure, using SSL.
For example for payment gateway Paypal, check this for ideas:
Use of the PayPal payment system in ASP.NET
Have a look on wikipedia.
Shortly the answer is impossible this way, because somehow the redirect website should identify the user, all the ways are browser related or ip ( which can cause many issues later)
I've a forum where anonymous is allowed to post, protected by CAPTCHA. For users convenience, I set a Cookie for such a user which lasts about a month so the user does not get the CAPTCHA over and over again. In the simplest form the cookie is called no_captcha_for_one_month and it's value is 1. When the user returns and posts anonymously, he gets not CAPTCHA.
Anyone seeing the flaw? A forum spammer just needs to fill out the CAPTCHA correctly once and use the cookie information for his bot and there he goes.
I thought about getting creative and using a server-side hash which includes e.g. users IP address and some secret salt to generate the cookie value, but it would still be valid for this IP address, of course.
Someone I get the impression the question is silly and I try to solve something unsolvable.
I would recommend implementing your cookie value + salt implementation not to solve your problem but for security reasons. As explained by this blog post wordpress had a similar, albeit it much more severe, problem due to poor cookie security. In your case a determined spammer could always bypass your CAPTCHA even if the cookie had expired.
In order to solve the proposed problem the only solution that is coming to my mind would be to implement a Forced CAPTCHA algorithm that would override your newly secured cookie if it felt the user was being spammy. Off the top of my head I would use attributes like time since last post, number of posts today, the length of time it took to compose the message on the form, etc.
Edit: I should also mention that you can make your forum less attractive to spammers in the first place by implementing the rel="nofollow" attribute on user submitted links. See Wikipedia.
with such a solution it is always possible to use the cookie for a bot. no matter what you try.
As said below, a cookie can easily be taken from a browser and pasted in a bot code, so the solution isn't robust.
Other solutions:
Find some users posting a lot in the forum and ask them if they are volunteer to be moderator. A forum like the AutoHotkey one uses this system, and this works fine. Spammers tend to avoid active forums where moderation is fast and efficient. They prefer dead forums...
Limit the number of anonymous posts per IP address. Can be annoying for users, but can avoid spam flooding. Should be set up only if you experience such flooding.
Even worse, because you are using a cookie, the spammer doesn't even need to do the CAPTCHA once. Cookies can be changed by the client, they are sent by the browser with the page request, so the client can send whatever it wants. In fact spam requests would come from a script, so it's even easier to fabricate the cookies.
Storing the variable server side sill solve the problem I've mentioned; You set a random hash as the cookie, and have a table that stores the CAPTCHA status on the server. For the spammer to get no CAPTCHA, they would have to guess a hash that has the correct variable stored server side, shich is very hard to do.
The problem you mentioned; the fact that once a month might not be long enough to deter a spammer, you can't get around that. You have to show a CAPTCHA to every real user, as often as you want the spammer to enter one as well. Remember, a CAPTCHA is necessary because you can't tell a spammer from a normal user.
You should have the CAPTCHA show often, it will convince people to sign up anyway.
Encrypt the time (in pico or nano seconds) set it as a input value () & set it in your DataBase with a column name 'hash'
set that in every page & see if it matches the DB.