CSRF 070 paypal express

a9ka9k Member
in Bugs & Feature Requests edited April 2011
Just a heads up something might be odd.
solari cart v070 paypal express

Looks like Patricia S. [EDIT: Last name redacted] tried in transaction 3494524 several times to buy a subscription over 20 minutes. But it didn't take - all kinds of log entires about bad form data and CSRF. The transaction didn't make it into the cart so I guess she never got it right.

We're going to give her a call tomorrow.
Comments
  • brettbrett FoxyCart Team
    When you call her... can you ask her how she got to the checkout page? The CSRF should work fine unless she was using the back button or reloading the checkout page or doing anything else to disrupt the order flow.

    We'll take a look at this, and we have seen that the CSRF errors are more prevalent with PayPal transactions, but we haven't yet been able to actually make this a "bug" as opposed to a "yeah, that's what'd happen if you did that specific behavior." That said though... we're definitely interested. Please (please) let us know what you hear from her.
  • a9ka9k Member
    She got a notice for renewal.
    She went to renew via link.
    Clicked pay with paypal.
    Signed into paypal to pay.
    Something asked for a password - which she didn't remember. So she asked for a new password (probably paypal but she isn't sure)
    She put that temporary password in and "it said it retrieved my information". I think that's paypal's words.
    Then she "couldn't get any further because password didn't work", but she kept trying.
    I think she put the PayPal password into Foxy cart page.

    We are going to walk her thru it again today. It will help us two ways - get a customer and see if the transactions clear paypal since no CC transactions are getting thru to paypal since we switched to 070 (5 days no renewals - definitely something BAD is going on).
  • a9ka9k Member
    Wow this weird. She couldn't get thru on her Mac in safari or firefox.
    She switched to her PC and it all worked fine.
    The error she got was Invalid password on the foxy checkout page where you can update your customer information.
    But the exact same (temporary) password worked on her PC.
  • lukeluke FoxyCart Team
    There's a lot going on here... are the password issues related to the CSRF errors?

    As for no renewals.. are these subscriptions or normal transactions or...? I do see successful transactions coming through for your store. If these are subscriptions, are you seeing any errors related to subscription payments?

    As for the password not working on her mac, is she using some kind of keychain password reminder tool that might be populating the old (incorrect) password for her automatically?
  • a9ka9k Member
    Yes the CSRF are her try to put in the foxy temp password and then going back - probably causing some post to happen again.

    I think I whispered Brett on the transactions problem - not related to this gal - hers is just using "invalid password over and over". Yes Mac do auto fill things but the behavior is different between safari and firefox abd both caused her problems. I'm also wondering if she has the PC wired and mac wifi. There may be a network difference.

    Anyway Brett was hoping for more details and I gave as many as I could get out of her.
  • brettbrett FoxyCart Team
    So just to confirm, ... the temp password didn't work on Safari or Firefox on a Mac but did on a Windows computer?

    That _really_ shouldn't happen. There's pretty much nothing that could possibly go wrong there, and given her previous troubles I'm thinking the most likely explanation is user error, perhaps in mistyping on an Apple keyboard but getting it right on the Windows keyboard. I hate to blame the user, but there's really just nothing that could get screwed up in transmitting 8 alphanumeric characters.

    Thoughts? You were dealing with the customer, so you'd probably have the best feel of whether it might have been user error.
  • a9ka9k Member
    Customer service talked to her. I suspect auto fill of the password field messed her up. Some browsers (Chrome come to mind) are bad about auto filling even after you think it could never happen.
  • brettbrett FoxyCart Team
    Interesting. Thanks for getting back to us, @a9k.

    We have autocomplete="off" on the email field, but not on the password field(s). I don't think it's ever come up, so we haven't though of it, but perhaps we should add that to our next version. I use 1password personally so I don't use browser autocomplete, but maybe I'll set Chrome up to autocomplete with some dummy data to see what happens. Very useful to at least have a direction to look. Thanks again.
Sign In or Register to comment.