Using SSO to send a user from checkout to site?

vossavantvossavant Member
in Help edited November 2009
I read the docs, but it's not clear to me if I can:

- Automagically log a customer into my site (running WordPress) once they check out and hit the receipt page

Here's the idea:

1. Customer checks out and pays for a product
2. New account created for the customer in WordPress (via a custom XML script that takes the datafeed and plugs into the WP database)
3. Customer hits the receipt page, where I have an option to "Upload Files". Customer can only see this option if he is logged in (which I assume would be always?)
4. Customer uploads files, which are associated with the customer via an ID or some other unique identifier.

I may be asking the wrong question here. I'm assuming the customer is always logged in (to FoxyCart) when he's on the receipt page. What I need to do is make sure the files the customer uploads are associated with the customer in WordPress, probably by passing the customer's ID to a script.

Another option is to just send the customer from the receipt page to a login screen in WordPress, but I'd like to avoid asking the customer to re-enter any login info.

I hope that was somewhat more than obtuse...
Comments
  • brettbrett FoxyCart Team
    Hi vossavant.
    That's a really good question. SSO itself is built to allow authentication from your site to FoxyCart, not the other way around. That said, there are a few ways you could make this happen.

    What might be the easiest would be to either avoid authentication altogether. You could build all the forms and such to allow the uploads using javascript, and using JSONP (to avoid cross-domain issues) to do a sort of fake authentication for those uploads. You could onpageload on the receipt check to see if the current transaction ID was placed within the past minute or so, and if so, assume it's a valid pageload and that the user is authenticated. You could potentially use the same logic to redirect the user to a page that'd automatically authenticate them.

    There definitely are security concerns here, but if you set an expiration on it you'd likely not have any "real" issues.

    Does that make sense?
  • Brett,

    Vaguely...you aren't short on creative ideas, that's for sure :)

    So what you're saying is that the user isn't authenticated or anything when he hits the receipt page? Is there a session ID or cookie I can use -- or is that even necessary?

    I ask the last bit because if I try to reload the receipt page, it tells me "Sorry, we can't seem to find your checkout info..." so it doesn't seem possible for someone to subsequently type in the receipt URL and have access to the uploader. That's the main concern. I only want to grant upload access in two ways (and the latter only if I can't get this working):

    1. Once they've purchased and are on the receipt page.
    2. Subsequently, when they log into their account in WordPress

    I figure I need to have the second option in case the user reloads or closes the receipt page, since I don't think you can get back to the receipt once you've closed it. Am I right?


    Thanks,
    Ryan
  • brettbrett FoxyCart Team
    Hi Ryan.
    Good questions. And yes, I almost always have a creative solution ;)

    There _is_ a session ID. It's in the JSON (which is loaded in the HTML on the receipt), and you could grab it. It's the FoxyCart session though, so if you wanted to use it on your end... it could be possible but it kind of depends on your server settings and such as to whether or not you can define sessions with arbitrary keys and such. And you'd need to make sure any cross-domain cookie issues are tested, as that can be a big problem (and is the main reason FoxyCart does most of what it does wrt session handling and GET/POST values).

    But yes, I'm saying that the user wouldn't necessarily be authenticated (on your end) when the receipt is loaded. It'd just say, "Hey, is this receipt pageload for a transaction that _just_ happened? If so, I'm going to assume they're authenticated and let them upload." You could also add a counter for that and only honor the first request, just in case somebody did intercept the URL. Again, it's not 100% bulletproof but it may be good enough.
    I ask the last bit because if I try to reload the receipt page, it tells me "Sorry, we can't seem to find your checkout info..." so it doesn't seem possible for someone to subsequently type in the receipt URL and have access to the uploader.

    The "can't find your checkout info" issues should be _greatly_ reduced in v060. In v051 and prior the receipt loads on the checkout page itself (with POST values). If you reload, FoxyCart will see that you're reloading a transaction that's been processed (which clears out the session), so the receipt won't be there. In v060 it immediately redirects to the revisitable receipt page. So if you did want to redirect to your system to immediately authenticate and then redirect you'd have to use the revisitable receipt URL from the XML datafeed. In v060 you'd want to perhaps put a delay on the initial redirection to allow for all the stuff in the ^^receipt_only_^^ placeholders to fire off (analytics, affiliate tracking, etc.):
    http://wiki.foxycart.com/docs:placeholders#receipt

    (In v060 we use an internal counter to determine whether it's been loaded yet, so if it loads far enough for you to do a js redirection, we'll consider it loaded and won't do the ^^receipt_only_^^ block again.)
    1. Once they've purchased and are on the receipt page.
    2. Subsequently, when they log into their account in WordPress

    I figure I need to have the second option in case the user reloads or closes the receipt page, since I don't think you can get back to the receipt once you've closed it. Am I right?

    You can get back to the receipt with the receipt URL from the datafeed. The issue is still: How do you make sure the uploads go to the right user. You could perhaps bypass this entirely and tie uploads to transactions and not users, so anybody that can get to the receipt can upload for that transaction. Depends on what type of security you need.
Sign In or Register to comment.