[TYPO3-commerce] *SECURITY ISSUE* possible Hack of paypal2ogone extension

[Ingo Schmitt]

Hello Thibaut,
> Hello Ingo,
> thank you for your response, and thanks for the excellent news!
> I have sent you an email and I will test your patch as soon as I catch it.
> But I already have tons of questions about it.

> Will it be capable of keeping the good order data even if customer has a 
> "chaotic behaviour" ? What I mean by "chaotic behaviour" are things such 
> as : logout of merchant's site, reloggin with different profile, editing 
> of basket, changing of IP, etc... during the payment process outside of 
> merchant's site (in a second browser window for example).

Generally the commerce basket is binded to the fe_user and to it's 
session. The data is handled by TYPO3 in this case. As I've read the 
sources of the core, these mentioned issues should be solved by TYPO3.


> What I basically mean is : I would like Commerce to be able to validate 
> an order from ANY valid payment confirmation that would come from any 
> (installed and configured) payment service; and that, whatever the 
> customer did or tried to do (accidentally or not), whatever happened to 
> session. What I want to avoid : refund a customer because there is no 
> order in the database that matches his payment.
> 
> I know it sounds like a wishlist but huh... well, it actually is :)

Handling Payments, as Paypal is a bit complicated, since you give the 
user to an other page. Here you might have to do additional programming.

> 
> Speaking of wishlist, I'm developing a payment method for Ogone, 
> inspirated by Martin Holtz's paypal2commerce and default Commerce's 
> payment methods. Ogone requires an orderId to proceed, but the problem 
> is that the orderId is by default available in Commerce only AFTER 
> payment confirmation.

Yes, only at this stage the order is really finished. If you generte the 
ID before, and the Order is not completed, you may have a a order id 
with no order.
> 
> So my wish would be that Commerce allows the orderID to be generated by 
> the payment method before payment confirmation, and uses that ID if it 
> has been generated. I don't know if Ogone is the only payment service 
> that requires an orderId, but it appears to me like a "reasonnable" 
> request and I wouldn't be surprised if other payment services do so. So 
> that feature is possibly interesting for other payment methods/services 
> too.

You might could use the fe_user sesion id, this should be unique..
> 
> Well, I think it will be all for this time, dear Santa Claus ;)
> 
Hehe :-)

ingo

> 
> Regards,
> Thibaut
> 
> 
> 
> 
>> I've followed the discussion here and I have already a concept, how we 
>> can prevent the change of "an order in checkout process (pi3)" 
>> generally in commerce. Although it should be only a small change in 
>> PI3, we have to test it carefully.
>>
>> My plan is, to provide a Patch against the actual Commerce version for 
>> pi3 very soon, would you be able to test the patch in your installations?
>>
>> Please give me a private mail is (at) matketing - factory (dot) de, 
>> where I could send the patch.
>>
>> ingo
> 
> 


Mit freundlichen Gruessen
-- 
Ingo Schmitt                        mailto:is at marketing-factory.de
Marketing Factory Consulting GmbH   http://typo3.marketing-factory.de/
Content Management mit Typo3: Beratung - Schulung - Realisierung