Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Worldpay support III


scottymcloo

Recommended Posts

Or you could enable MD5 to improve things a bit

Worldpay problems

 

This page explains the problems with Select Junior better than I can. I can confirm though, that the issues it outlines are still present and affect anyone using Worldpay, including via the OSC contribution.

 

That page doesn't include my technique of using a Javscript debugger, which is more likely to work than the way it suggests.

 

So yeah MD5 would sort the main part of the insecure-ness out. The contribution needs to be changed for that to work, I think, but that would be simple. IMHO a 12-character password is secure enough, and as for its point about the callback - I've not looked into that but what it's saying makes sense.

 

One way or the other, there are some pretty big problems with the current OSC worldpay system. If you check your orders by hand and ensure the amounts/totals make sense, then you'll be OK.

Link to comment
Share on other sites

  • Replies 281
  • Created
  • Last Reply

Top Posters In This Topic

sorry

i should readthrough the whole thread. The answer was in there. Worldpay doesn't work with STS Template.

There is a message suggesting it can be used but i was left a little confused. has anyone managed to get worldpay and sts working together?

 

cheers

Link to comment
Share on other sites

I have just set up worldpay on a new site and when doing a test I noticed the new look pages for the first time on the worldpay server.

 

That big black bar at the top of the site and the huge padlock couldnt look more different from the site.

 

Has anyone had any luck with changing the look of the payment pages?

Link to comment
Share on other sites

Yeah..

 

My payment pages look good enough - not great, but good enough. You need to upload HTML for it to use in the Header and Footer, and use Styles. Go through and change all the colours it uses to match your site.

 

It is possible but it's more work than it should be..

Link to comment
Share on other sites

Come on, some one must have some better solutions for the 1062-Duplicate entry error???

Nimmit solved his problem by the looks of things. Read his posts, and if not, get in touch and see if his solution might work for you.

 

I thought it was to do with cookie addresses, and Nimmit said:

If anyone else has this problem in the future it was to do with my https cookie domain set up in configue.php I had a typo! Typical it's the little things that can really mess you up!

 

Good luck..

Link to comment
Share on other sites

Hiya,

in refrence to the dubplicate entry error. Have a good read of

this wiki its just the basic configure file that needs to be checked in this situation.

 

Make sure that you have every setting as it should be.

 

I tried so many things around the time I had that problem. And I'm pretty sure this was what was causing it.

Nimmit

Link to comment
Share on other sites

Hi,

 

Ived tried pretty much everything in my config.php. this is what it looks like:

 

define('HTTP_SERVER', 'http://www.gameessentials.co.uk'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://webatwork2.cheapdomainsuk.com/~gameesse'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.gameessentials.co.uk');

define('HTTPS_COOKIE_DOMAIN', 'webatwork2.cheapdomainsuk.com/~gameesse');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/home/gameesse/public_html/catalog/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

// define our database connection

define('DB_SERVER', 'localhost'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', 'xxxxxx');

define('DB_SERVER_PASSWORD', 'xxxxxx');

define('DB_DATABASE', 'xxxxxx');

define('USE_PCONNECT', 'false'); // use persistent connections?

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

 

Ive spoken to Ady who had the same problem, he has solved it by setting his HTTPS_COOKIE_DOMAIN the same as his HTTP_COOKIE_DOMAIN.

This didnt work for me, I starting to thing that this is a problem with my Shared SSL. Do you think buying a dedicated SSL could cause this problem? Im also getting the Paypal IPN error.

 

Cheers

Rob

Link to comment
Share on other sites

Hiya,

I just started looking into this problem and in the process BROKE MY STORE AGAIN (panic!!!) But have now fixed it again! (phew!).

I'm not saying that this is right for everyone but in MY CASE it is todo with that cookie domain.

If i put a http or https on the front of it it gives the duplicate entry problem. The moment I take it away its fixed again... whether or not this going to be the case for everyone or not is another question.

 

Keep at it

 

Nimmit

 

p.s. both my http & https cookie things are the same

Link to comment
Share on other sites

Does anyone know how to pass the WP reference number back and have it included on the invoice or anywhere else? It's a pain having to find it when a customer returns something, if it were on the actual invoice or order page it would make life easier.

Link to comment
Share on other sites

  • 2 weeks later...

I've got a problem that I think is due to a cookie stored on my box somewhere as a result of a failed transaction.

 

Worldpay processes the transaction and sends its confirmation emails.

The call back url http://<wpdisplay item="MC_callback"> produces the WP box at the top of the page and the header beneath it.

 

The rest of the page won't load and the sale is not confirmed/logged by OSC.

WP does not send a failure email and there are no warningmessages.

 

Although I go through the WP process. The goods are still in my cart.

 

Can anyone help and shed light on what I'm missing.

 

(MS2.2 - WP 4 1.5b - no other contribs)

 

regards

Kev

Link to comment
Share on other sites

Its sounds like maybe one of the files you uploaded is corrupt. I think its called wp-callback.php or similar. Try re-uploading the files and see what happens.

Link to comment
Share on other sites

  • 2 weeks later...

Hi Guys,

 

I just setup the Worldpay module in a ms2.2 installation. I am having the same callback problem. I have checked the installation id and it is correct. Any other ideas? As a result of no callback the cart remains full and order is not put into osc. Thanks!

 

rw

Link to comment
Share on other sites

Once the order is confirmed by WorldPay the customer is sent to this base URL:

 

https://select.worldpay.com/aequitas/card?

 

with the following text:

 

 

Thank You.

 

This was NOT a live transaction - no money has changed hands

Thank you, your payment was successful

Merchant's Reference: osCsid=f0acc5a58dc031838cba408ac70e1dbf

WorldPay Transaction ID: 64803702

 

Please contact WorldPay immediately if there has been a problem making your payment.

 

 

 

 

Any ideas are appreciated.

 

thanks,

 

rw

Link to comment
Share on other sites

I will try it, So the callback does not work in test mode?

 

ALSO,

 

Is there a reason this mod uses dynamic callback? ie: builds the callback url? Is this strictly to support multiple languages? I've tried plugging the callback URL right into the Worldpay panel and it works fine.

 

ie:

 

www.mydomain.com/wpcallback.php

 

instead of:

 

http://<wpdisplay item="MC_callback">

 

When i use http://<wpdisplay item="MC_callback">

 

it does not work (in test mode or otherwise). I have even tried hardcoding in my callback url to modules/payment/worldpay.php file

 

ie:

 

143: tep_draw_hidden_field('MC_callback', 'http://www.mydomain.com/wpcallback.php?language=' . $language_code) .

 

143: tep_draw_hidden_field('MC_callback', $worldpay_callback[1] . '?language=' . $language_code) .

 

and the dynamic callback still will not work. I can see the hidden field is in fact there and is being passed to worldpay.

 

Anyway it is working when i put the callback directly into the worldpay panel. Is there any reason i shouldn't be doing this?? Thanks!

 

rw

Link to comment
Share on other sites

  • 2 weeks later...

Hi peeps,

 

Not sure if anyone has seen this potential security risk.

 

After I've done a checkout and redirected to the WorldPay page, i am able to enter this: www.mystore.com/wpcallback.php?transStatus=Y, and the order will be processed as success even without paying.

 

Ivan.

Link to comment
Share on other sites

What I propose is to change the following code in /catalog/wpcallback.php

if(isset($transStatus) && $transStatus == "Y") { ?

to

$transStatus = "";
$transStatus = $_POST['transStatus'];
if(isset($_POST['transStatus']) && $transStatus == "Y") { ?

Edited by ivanteo
Link to comment
Share on other sites

It is a security hole yes, and there are several with this module that I've already hinted at previous in the thread. Well spotted though!

 

As for code, I'd replace your:

 

$transStatus = "";
$transStatus = $_POST['transStatus'];
if(isset($_POST['transStatus']) && $transStatus == "Y") {  

 

with..

 

if(isset($_POST['transStatus']) AND ($_POST['transStatus'] == "Y")) {  

 

I use 'AND' rather than '&&' - i believe it's better in most situations.

 

It's probably no more secure though - you could construct a form that POSTs 'transStatus=Y' to wpcallback.php and it would probably work just like faking the GET variable as you're suggesting.

 

The answer is to make use of Worldpay's MD5 passwords and other security features, detailed in its integration guide and missing from the current OSC module.

Link to comment
Share on other sites

Hi, any one any ideas on the callback failure?

I have the same problem, if I put http://<wpdisplay item="MC_callback"> into the WP callback URL I get a failure. Replacing the callback URL with www.mysite.com results in a callback success and everything is fine.

Using osCommerce MS2 with Worldpay 4.0 v1.4

 

Robr

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...