Express Checkout - Invalid Token

[angelleye]

We've been getting reports lately from users saying they are getting Invalid Token errors.

In most cases there are no matching order details, and no complaints from users that their order failed. I think it could be search engine crawlers hitting the script that generates the DECP request, which of course has no data, so then they get an Invalid Token error.

I did have one user verify in his logs that it was an microsoft bing server that caused it.

This never seemed to be an issue before, but now this past month or so I've been seeing quite a few reports of this. We need to take a look to see if the DECP calls could be happening from search crawlers somehow, and then figure out a way to make that stop.

[levansy2020]

I added some condition to make sure the TOKEN is exist and display a notice for user too.

[angelleye]

I see that you're using if (!isset(WC()->session->TOKEN)). I wonder if we should use if (empty(WC()->session->TOKEN)) instead..?? This way even if the session is set but has no value it would still trigger our error.

Thoughts?

[levansy2020]

We have the unset(WC()->session->TOKEN) when the order completed so I think we do not need to check if it's empty or not.

[angelleye]

I think I'm going to change it anyway. using empty() will evaluate the same way !isset() would if the session simply is not set. If the session is set, though, but for some reason got wiped out, then empty() would catch that as well.