Ecart 5 - Paypal Standard - Clearing the Cart on Success

Hi,

I have setup a cart using Ecart 5 and PayPal standard payments.

I have got the IPN working and updating my cart by passing the order_id in the "custom" field and then using this to update my orders.

On the checkout_success.php page, I have included the code outlined on http://www.webassist.com/forums/posts.php?id=20025, which works a treat. (My cart is a basic one at the moment - I'm not worried abut users logging in and storing their details at present).

My issue is that once a customer makes a payment, if they choose not to return to the checkout_success.php file by typing the URL of my shopping cart into a browser, their cart is still populated. What is worse is that now they can add extra items to their order, and because a payment has been made for that order id, they could add items to their order, press "checkout", and the system thinks they have items that they haven't paid for.

What I am after is if there is a way to clear the cart if an order_id is set in the session on load of the cart, will this work?

Or, I can set some validation on the checkout button (or confirm.php page), where the system checks the status based on the order id and maybe throws and exception or clears the session at that point to prevent anyone manipulating this flaw.

Or, I could use the mc_gross field recieved from the IPN, store this in the DB, and then flag up a possible security issue in the administration system, but this seems a bit messy to me.

I've been looking at the forums, and can't find any similar issue on the forums, hopefully this an easy fix.

Thanks,

Aled

paypal should automatically return them to the success page.

on the confirm page, the form that sends the details to paypal has a variable for the return URL, make sure that this is set to the site address for the success page so that paypal will automatically load the success page after the payment is complete.

Hi Jason,

Thanks for your reply. I think I've got this fixed now.

I was submitting the return URL as a hidden field. The issue I had was that after making a payment through PayPal, the user can still type the URL of your cart (e.g. http://example.com/cart.php) in the address bar, or press back before being transferred to the checkout_success.php page. This is easier on PayPal as they can give a user notifying "You will be redirected in 10 Seconds", in which time they can just type the URL easily.

By doing this, a payment could be processed for one item, this would then, in time, notify my system via the IPN that the order id's status is complete. By just going direct to the cart page and not killing the session, the user can return to the cart, add more items to an order, press checkout, and without even going to PayPal, they can increase their order and make it look like they have paid for many more items than they actually have (although I'd recommend all clients check their orders and check it against their PayPal transactions), which was a bit of a security flaw for me.

What I did was (using Data Assist's Clear Session Values) create the following snippet. This checked if the session had a order id set, if so, it would clear all session variables.

@session_start();
if (isset($_SESSION['shop_OrderID']) && !empty($_SESSION['shop_OrderID'])){
// WA_ClearSession
$clearAll = TRUE;
$clearThese = explode(",","");
if($clearAll){
foreach ($_SESSION as $key => $value){
unset($_SESSION[$key]);
}
}
else{
foreach($clearThese as $value){
unset($_SESSION[$value]);
}
}
}

Is this correct? I've tested it a few times, and it appears to work fine.

Also, if you pass the notify_url as a hidden field on your confirm page, you can set the URL you wish the IPN notification to be sent to, rather than configure it manually in your PayPal account. (took me a while to spot that one).

Thanks,

Aled

That code to clear the session looks like it should work, I would probably put it on the cart display page.

Thanks Jason - I've put it on the cart display page as mentioned. I think I may put it on the address page as well, as someone could modify delivery details of an order if they go directly to that page.

Although doing this might impact the "Modify Information" feature on the confirm page.

Will test it tonight, but don't think it's THAT huge a problem.

Thanks again,

Aled