Post by DANDTON » Tue Apr 20, 2021 8:58 pm

Hello everyone,
I am useing 3.0.3.2, today I found a problem, when I finish buying by paypal and click "return back" button on paypal page, then the page go to my store.
BUT, the buyer account sign out automaticly, I must login again. BUT when I login again, I can see the shopping cart is not clear......
I can see that: All my google chorme's cookies is sign out automaticly, my admin account in another lable is sign out automaticly too.....
I use Journal 3.1.8.
Thank you for your help!!
Yours, Daniel

Newbie

Posts

Joined
Sun Mar 15, 2015 3:55 pm

Post by straightlight » Tue Apr 20, 2021 9:04 pm

DANDTON wrote:
Tue Apr 20, 2021 8:58 pm
Hello everyone,
I am useing 3.0.3.2, today I found a problem, when I finish buying by paypal and click "return back" button on paypal page, then the page go to my store.
BUT, the buyer account sign out automaticly, I must login again. BUT when I login again, I can see the shopping cart is not clear......
I can see that: All my google chorme's cookies is sign out automaticly, my admin account in another lable is sign out automaticly too.....
I use Journal 3.1.8.
Thank you for your help!!
Yours, Daniel
Unsupported.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by JNeuhoff » Tue Apr 20, 2021 10:31 pm

Not an OpenCart bug, the OpenCart checkout eventually reaches the checkout/success page, and the user stays logged in, but with the shopping cart cleared after the successfully processed order. Journal3 is a different framework (80% non-Opencart) so in your case you will have to get in touch with the Journal support.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by DANDTON » Tue Apr 20, 2021 10:48 pm

JNeuhoff wrote:
Tue Apr 20, 2021 10:31 pm
Not an OpenCart bug, the OpenCart checkout eventually reaches the checkout/success page, and the user stays logged in, but with the shopping cart cleared after the successfully processed order. Journal3 is a different framework (80% non-Opencart) so in your case you will have to get in touch with the Journal support.
Thank you very much! I did more test and find the problem seems come from Paypal, I use Paypal standard as payment way. I have paypal standard and Free check out 2 way. When I test by free check out, there is no problem, but when I use paypal stanard and test by sandbox account, I found this problem comes out,
For insurance, I tried to use my another V1.5.6 opencart and V3.0.2 opencart website, this problem is still there when i use paypal standard.
So I doubt it is the problem from paypal, I will call them tomorrow and let you know more info.

Newbie

Posts

Joined
Sun Mar 15, 2015 3:55 pm

Post by DANDTON » Thu Apr 22, 2021 11:25 am

Called paypal, and got no answer, so I tried to test more and find the resolution: O0
1.Must update PHP7.0 to PHP7.3, after test, only PHP7.3 is ok
2.edit document: /upload/system/framework.php around 110 line

//original cookie
//setcookie($config->get('session_name'), $session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

//modified cookie
setcookie($config->get('session_name'), $session->getId(), ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => true]);

3.edit document: /upload/catalog/controller/startup/session.php around 25 line
//original cookie
//setcookie($this->config->get('session_name'), $this->session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

//modified cookie
setcookie($this->config->get('session_name'), $this->session->getId(), ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => true]);

refresh ocmod, done,
Now test, after checkout and return back to sucessul pay page, the customer won't logout and the shopping cart is empty.

Newbie

Posts

Joined
Sun Mar 15, 2015 3:55 pm

Post by maniruzzaman » Mon Jan 09, 2023 3:20 pm

Hi,
I was also faced this issue for opencart-4 for our Paysera payment gateway plugin, then investigated and finds about session samesite and to fix this, no need to make additional code. Just change from settings -
1) Go to settings.
2) Click on Server tab.
3) Change Session Samesite Cookie from Lax/Strict to None.
4) Now make payment and nothing will logged out.

Newbie

Posts

Joined
Tue Dec 13, 2022 6:22 pm

Post by frasergoconsultme » Mon May 15, 2023 11:40 pm

DANDTON wrote:
Thu Apr 22, 2021 11:25 am
Called paypal, and got no answer, so I tried to test more and find the resolution: O0
1.Must update PHP7.0 to PHP7.3, after test, only PHP7.3 is ok
2.edit document: /upload/system/framework.php around 110 line

//original cookie
//setcookie($config->get('session_name'), $session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

//modified cookie
setcookie($config->get('session_name'), $session->getId(), ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => true]);

3.edit document: /upload/catalog/controller/startup/session.php around 25 line
//original cookie
//setcookie($this->config->get('session_name'), $this->session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

//modified cookie
setcookie($this->config->get('session_name'), $this->session->getId(), ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => true]);

refresh ocmod, done,
Now test, after checkout and return back to sucessul pay page, the customer won't logout and the shopping cart is empty.
Had the same issue and this worked for me...many thanks :-)

Newbie - OC 3.0.3.8 sites


New member

Posts

Joined
Sun Feb 12, 2023 4:36 am

Post by by mona » Tue May 16, 2023 12:02 am

+1

Thank you to
DANDTON for coming back with a solution
maniruzzaman for a possible solution for OC4
and frasergoconsultme for taking the time to login and say thank you and confirming it works

have a great day ;D

DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.


https://www.youtube.com/watch?v=zXIxDoCRc84


User avatar
Expert Member

Posts

Joined
Mon Jun 10, 2019 9:31 am

Post by ADD Creative » Tue May 16, 2023 7:48 am

frasergoconsultme wrote:
Mon May 15, 2023 11:40 pm
DANDTON wrote:
Thu Apr 22, 2021 11:25 am
Called paypal, and got no answer, so I tried to test more and find the resolution: O0
1.Must update PHP7.0 to PHP7.3, after test, only PHP7.3 is ok
2.edit document: /upload/system/framework.php around 110 line

//original cookie
//setcookie($config->get('session_name'), $session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

//modified cookie
setcookie($config->get('session_name'), $session->getId(), ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => true]);

3.edit document: /upload/catalog/controller/startup/session.php around 25 line
//original cookie
//setcookie($this->config->get('session_name'), $this->session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

//modified cookie
setcookie($this->config->get('session_name'), $this->session->getId(), ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => true]);

refresh ocmod, done,
Now test, after checkout and return back to sucessul pay page, the customer won't logout and the shopping cart is empty.
Had the same issue and this worked for me...many thanks :-)
That's not the best way to fix the issue for PayPal Standard. You can just change the rm variable to 1, as done in 3.0.3.8.
https://github.com/opencart/opencart/pull/8072

That way you can keep using default SameSite=Lax, which would give more protection against attacks such as CSRF. Which is probably important if you are using an older version than 3.0.3.8 that does not have the security vulnerability in the PayPal Standard extension patched.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by frasergoconsultme » Tue May 16, 2023 9:09 pm

ADD Creative wrote:
Tue May 16, 2023 7:48 am
frasergoconsultme wrote:
Mon May 15, 2023 11:40 pm
DANDTON wrote:
Thu Apr 22, 2021 11:25 am
Called paypal, and got no answer, so I tried to test more and find the resolution: O0
1.Must update PHP7.0 to PHP7.3, after test, only PHP7.3 is ok
2.edit document: /upload/system/framework.php around 110 line

//original cookie
//setcookie($config->get('session_name'), $session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

//modified cookie
setcookie($config->get('session_name'), $session->getId(), ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => true]);

3.edit document: /upload/catalog/controller/startup/session.php around 25 line
//original cookie
//setcookie($this->config->get('session_name'), $this->session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

//modified cookie
setcookie($this->config->get('session_name'), $this->session->getId(), ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => true]);

refresh ocmod, done,
Now test, after checkout and return back to sucessul pay page, the customer won't logout and the shopping cart is empty.
Had the same issue and this worked for me...many thanks :-)
That's not the best way to fix the issue for PayPal Standard. You can just change the rm variable to 1, as done in 3.0.3.8.
https://github.com/opencart/opencart/pull/8072

That way you can keep using default SameSite=Lax, which would give more protection against attacks such as CSRF. Which is probably important if you are using an older version than 3.0.3.8 that does not have the security vulnerability in the PayPal Standard extension patched.
I am running 3.0.3.8 and was still having the issue until I changed the code as above.

Newbie - OC 3.0.3.8 sites


New member

Posts

Joined
Sun Feb 12, 2023 4:36 am

Post by ADD Creative » Tue May 16, 2023 9:49 pm

frasergoconsultme wrote:
Tue May 16, 2023 9:09 pm
I am running 3.0.3.8 and was still having the issue until I changed the code as above.
I would check that your theme is not overriding the /catalog/view/theme/default/template/extension/payment/pp_standard.twig file or that the file isn't an old version from a previous upgrade.

You can also inspect the payment fields at the last step at checkout using your browser's developer tool, where you should see the following.

Code: Select all

<input type="hidden" name="rm" value="1" />

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by kslakhani » Fri Jul 28, 2023 1:03 am

DANDTON wrote:
Thu Apr 22, 2021 11:25 am
Called paypal, and got no answer, so I tried to test more and find the resolution: O0
1.Must update PHP7.0 to PHP7.3, after test, only PHP7.3 is ok
2.edit document: /upload/system/framework.php around 110 line

//original cookie
//setcookie($config->get('session_name'), $session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

//modified cookie
setcookie($config->get('session_name'), $session->getId(), ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => true]);

3.edit document: /upload/catalog/controller/startup/session.php around 25 line
//original cookie
//setcookie($this->config->get('session_name'), $this->session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

//modified cookie
setcookie($this->config->get('session_name'), $this->session->getId(), ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => true]);

refresh ocmod, done,
Now test, after checkout and return back to sucessul pay page, the customer won't logout and the shopping cart is empty.
Thanks, worked perfectly on OC v3.0.2.0

Newbie

Posts

Joined
Wed Apr 05, 2017 11:33 pm

Post by ADD Creative » Fri Jul 28, 2023 7:37 am

kslakhani wrote:
Fri Jul 28, 2023 1:03 am
Thanks, worked perfectly on OC v3.0.2.0
You should also be able to fix it by making the changes at the links below instead.
https://github.com/opencart/opencart/pull/8072/files

That way you can keep SameSite set to Lax with will offer protection against CSRF vulnerabilities that None doesn't.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: sidclel and 82 guests