Jump to content

session or cookie

Waqas Saeed

By Waqas Saeed
in Developer Corner

 Share

Recommended Posts

steven99 Senior Member

steven99

Posted
Posted

You're hitting the 403 because of the _get being in the post.  Here it is in case that url goes bad

Quote 

@steven99

I have a problem,  I tried with localAPI to check if the user is logged in, but that is not solution actually to find if that paying user is associated with that invoice_id. 

1 - IPN request to mark the payment as paid. (it check restapi, PAID status to add the payment) callbackfile.php

2- Redirection method (_get) to mark the payment. (it check _get string query, PAID status to add the payment)

Why do I need this; 
Usually we have trouble with gateways as they are continuously changing the transaction ID method (sometime their own transaction id or something random numbers) . if the transaction id is changed, the redirect url can be tempered and can add the payment in same invoice because the checkCbTransID may not find transaction id with different string e.g. at the time of payment it was a random number, and after gateway upgrade it can a date in unix format) 

- I have question; checkCbTransID does it work by matching the transaction id by term "contains" or "equals"


What I what

if the transaction id method is changed how do I protect the duplicate transaction ?  if someone hit the same url the transaction is being added to the system again.

As for if a user is logged in, one simple way is to check the UID session variable, then fetch that user / client via Client::find(UID) and confirm they own the invoice .     There might be other methods but mind no workie on limited sleepy.

Going off https://developers.whmcs.com/payment-gateways/callbacks/  checkCbTransID only checks if there is an existing transaction in WHMCS with that same ID and if so fails / dies.    If both check invoice and check transid is successful, then you use addInvoicePayment() .  

The callback has little to do with the client and it should not care if the client is logged in because the callback should only be called by the gateway and their session would not be the client's session nor should it be even able to touch their session or account for security reasons.  All the callback file should need is the invoice id, transaction id, and client id but not as important as the first two.  The callback then checks if invoice is valid and if so checks if WHMCS has a transaction with the same ID .   Using Invoice::find(invoiceID) should get you the invoice as well as the client that owns that invoice. 

The gateway changing their transaction id format should not matter as each transaction id should be unique and they should still have a variable like "transid" .  You need to be able to verify the transaction with the gateway in some manner.  For example, Paypal IPN expects you to send a 200 return when it does the call back and you send back the message they sent to you.   With for example Stripe, you can use their API and check the transaction id, verify it is that invoice, that client, etc.   It is important to confirm the transaction is valid one way or other . 

If the gateway you're using is changing their transaction ids or variable names constantly, then it is time to get a new gateway as that should not need to be done.   If you have some docs on the gateway, I may have some time next week to look and advise more. 

0
Link to comment
Share on other sites
Waqas Saeed Member

Waqas Saeed

Posted
  • Author
Posted

Thank you @steven99 for such an brief response. I admit that the gateway should have the transid for each transaction,  unfortunately, the callback receive the response in GET method, that is likely unsecured too, the url can be tempered if left unsecured without API checks. yesterday after replying I tried check the SERVER REFERRER and able to find a solution with regular expression by comparing URL with the response HTTP referrer URL., it seems to be helpful returns false if the request is triggered by POSTMAN or browser. 

10 hours ago, steven99 said:

If the gateway you're using is changing their transaction ids or variable names constantly, then it is time to get a new gateway as that should not need to be done.   If you have some docs on the gateway, I may have some time next week to look and advise more. 

That is true, the variables, if not; at least transaction id should not added in the response params. 

10 hours ago, steven99 said:

still have a variable like "transid"

Exactly, 

10 hours ago, steven99 said:

If you have some docs on the gateway, I may have some time next week to look and advise more. 

I' m really thankful to you for this, I appreciate your words.  as it feel the file is secured and if I needed I will reply on this. 

10 hours ago, steven99 said:

Invoice::find(invoiceID)

Please refer me post in the community or snippet that can work in callback file. 

0
Link to comment
Share on other sites
steven99 Senior Member

steven99

Posted
Posted

If you mean the URL is unsecured in terms of someone sniffing packets seeing it, as long as it is https the url is also encrypted.   If you mean in terms of someone trying to fake a payment, using get or post is no different in terms of that security as you can easily do a POST request via the browser's inspect tools.   

0
Link to comment
Share on other sites
Waqas Saeed Member

Waqas Saeed

Posted
  • Author
Posted
On 7/11/2021 at 1:17 AM, steven99 said:

If you mean the URL is unsecured in terms of someone sniffing packets seeing it, as long as it is https the url is also encrypted.   If you mean in terms of someone trying to fake a payment, using get or post is no different in terms of that security as you can easily do a POST request via the browser's inspect tools.   

Yes that you have understood that now. What exactly I have the issue about. 

May I know if you share a post with example snippet that can make a custom session and then retrieve the session on the page2 (landing page), and it can determine if the session is true ? (For WHMCS),  or if you can let me know that the pure PHP code can work also in WHMCS without using any specific library. or module. 

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept