New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FIX] payment_sips: prevent clearing the session cookie #72267
[FIX] payment_sips: prevent clearing the session cookie #72267
Conversation
@AntoineVDV Here it is :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! This is a welcome fix, especially since it addresses the issue at the cookies level :)
Two remarks:
- The commit title is not super clear about what it does IMHO. Something like "[FIX] payment_sips: prevent clearing the session cookie" would maybe make more sense when browsing the commit history.
- I'd add a comment that explains very clearly why there is a
save_session=False
in the route, or it will be lost someday soon.
When buying a product on website shop, after the payment with SIPS, the page is redirected to an Error message: "We are not able to find your payment, but don't worry. You should receive an email confirming your payment in a few minutes. If the payment hasn't been confirmed you can contact us." To reproduce the error: 1. In Payment Acquirers, enable Sips 2. Go on website shop 3. Add a product to the cart, Checkout 4. Pay with Sips - Visa card number: 4100000000000000 5. Back to Web-shop, if the payment has been successfully processed, repeat steps 2 -> 4 Error: The message "Your payment has been successfully processed. Thank you!" is not displayed. Instead, the message "We are not able [...] you can contact us." is displayed. This message is displayed when: https://github.com/odoo/odoo/blob/5945806c151b13d9d4cc13aa0a6c96a6b1bbad5f/addons/payment/controllers/portal.py#L65-L69 i.e., when the transactions list is empty. Here is how to get the list: https://github.com/odoo/odoo/blob/5945806c151b13d9d4cc13aa0a6c96a6b1bbad5f/addons/payment/controllers/portal.py#L38-L42 It uses the session of the request. The cookie `session_id` is used to identify the current session. However, after the payment on SIPS, the page is redirected to `/payment/sips/dpn` with a POST request. Since the session cookie has the attribute `SameSite=Lax` and the HTTP request is a POST, the cookie will be filtered out: https://drive.google.com/file/d/1xfx3YWkfonO3nK-8Rew45uSoR4lkpjpY/view?usp=sharing (Browser information: This cookie didn't specify a "SameSite" attribute when it was stored and was defaulted to "SameSite=Lax," and was blocked because the request was made from a different site and was not initiated by a top-level navigation. The cookie had to have been set with "SameSite=None" to enable cross-site usage) As a result, the server creates a new one. This is the reason why the transactions list is empty: the list is based on a new session. Adding the attribute `save_session = False` to the route will prevent the server from creating a new session cookie and add it in the POST response. OPW-2518377
57cf364
to
9ff7d39
Compare
@robodoo r+ |
When buying a product on website shop, after the payment with SIPS, the page is redirected to an Error message: "We are not able to find your payment, but don't worry. You should receive an email confirming your payment in a few minutes. If the payment hasn't been confirmed you can contact us." To reproduce the error: 1. In Payment Acquirers, enable Sips 2. Go on website shop 3. Add a product to the cart, Checkout 4. Pay with Sips - Visa card number: 4100000000000000 5. Back to Web-shop, if the payment has been successfully processed, repeat steps 2 -> 4 Error: The message "Your payment has been successfully processed. Thank you!" is not displayed. Instead, the message "We are not able [...] you can contact us." is displayed. This message is displayed when: https://github.com/odoo/odoo/blob/5945806c151b13d9d4cc13aa0a6c96a6b1bbad5f/addons/payment/controllers/portal.py#L65-L69 i.e., when the transactions list is empty. Here is how to get the list: https://github.com/odoo/odoo/blob/5945806c151b13d9d4cc13aa0a6c96a6b1bbad5f/addons/payment/controllers/portal.py#L38-L42 It uses the session of the request. The cookie `session_id` is used to identify the current session. However, after the payment on SIPS, the page is redirected to `/payment/sips/dpn` with a POST request. Since the session cookie has the attribute `SameSite=Lax` and the HTTP request is a POST, the cookie will be filtered out: https://drive.google.com/file/d/1xfx3YWkfonO3nK-8Rew45uSoR4lkpjpY/view?usp=sharing (Browser information: This cookie didn't specify a "SameSite" attribute when it was stored and was defaulted to "SameSite=Lax," and was blocked because the request was made from a different site and was not initiated by a top-level navigation. The cookie had to have been set with "SameSite=None" to enable cross-site usage) As a result, the server creates a new one. This is the reason why the transactions list is empty: the list is based on a new session. Adding the attribute `save_session = False` to the route will prevent the server from creating a new session cookie and add it in the POST response. OPW-2518377 closes #72267 Signed-off-by: Antoine Vandevenne (anv) <AntoineVDV@users.noreply.github.com>
Some more context information about this patch. References:
What about Odoo?Odoo does not specify the new The 2 other modes for
So,
Note: the only cookie where this generally matters is When using an Odoo-based website, we're normally in one of the 2 situations where the However at that point, the Odoo server will see no user session, and will assign a new session, returning a new Solutions?There are two simple solutions to avoid this issue:
This PR implements solution 2), to work around the behavior of the SIPS integration for the DPN POST request, with minimal changes. Q: The devtools console tells me that Odoo cookies are going to be rejected soon!Over time browsers have updated their developer warnings, and just like the implementations, the warnings are often incorrect, partial or misleading. The current specifications as described in RFC 6265bis clearly states that the behavior when no When integrations fail due to cookies being restricted, the solution cannot be to change the |
@odony Wow, that was incredibly clear and informative. This should definitely be integrated into the doc! |
When buying a product on website shop, after the payment with SIPS, the page is redirected to an Error message: "We are not able to find your payment, but don't worry. You should receive an email confirming your payment in a few minutes. If the payment hasn't been confirmed you can contact us." To reproduce the error: 1. In Payment Acquirers, enable Sips 2. Go on website shop 3. Add a product to the cart, Checkout 4. Pay with Sips - Visa card number: 4100000000000000 5. Back to Web-shop, if the payment has been successfully processed, repeat steps 2 -> 4 Error: The message "Your payment has been successfully processed. Thank you!" is not displayed. Instead, the message "We are not able [...] you can contact us." is displayed. This message is displayed when: https://github.com/odoo/odoo/blob/5945806c151b13d9d4cc13aa0a6c96a6b1bbad5f/addons/payment/controllers/portal.py#L65-L69 i.e., when the transactions list is empty. Here is how to get the list: https://github.com/odoo/odoo/blob/5945806c151b13d9d4cc13aa0a6c96a6b1bbad5f/addons/payment/controllers/portal.py#L38-L42 It uses the session of the request. The cookie `session_id` is used to identify the current session. However, after the payment on SIPS, the page is redirected to `/payment/sips/dpn` with a POST request. Since the session cookie has the attribute `SameSite=Lax` and the HTTP request is a POST, the cookie will be filtered out: https://drive.google.com/file/d/1xfx3YWkfonO3nK-8Rew45uSoR4lkpjpY/view?usp=sharing (Browser information: This cookie didn't specify a "SameSite" attribute when it was stored and was defaulted to "SameSite=Lax," and was blocked because the request was made from a different site and was not initiated by a top-level navigation. The cookie had to have been set with "SameSite=None" to enable cross-site usage) As a result, the server creates a new one. This is the reason why the transactions list is empty: the list is based on a new session. Adding the attribute `save_session = False` to the route will prevent the server from creating a new session cookie and add it in the POST response. OPW-2518377 closes odoo#72267 Signed-off-by: Antoine Vandevenne (anv) <AntoineVDV@users.noreply.github.com>
Sounds good, but also iframe are impacted as well. I propose that we do the following in odoo/http.py: Change 'set_cookie' From:
To:
This way, the default behavior will be as is today, with giving an option to Saas user an option to change it in system parameters if they need it. |
When buying a product on website shop, after the payment with SIPS, the
page is redirected to an Error message: "We are not able to find your
payment, but don't worry. You should receive an email confirming your
payment in a few minutes. If the payment hasn't been confirmed you can
contact us."
To reproduce the error:
repeat steps 2 -> 4
Error: The message "Your payment has been successfully processed. Thank
you!" is not displayed. Instead, the message "We are not able [...] you
can contact us." is displayed.
This message is displayed when:
odoo/addons/payment/controllers/portal.py
Lines 65 to 69 in 5945806
i.e., when the transactions list is empty. Here is how to get the list:
odoo/addons/payment/controllers/portal.py
Lines 38 to 42 in 5945806
It uses the session of the request. The cookie
session_id
is used toidentify the current session. However, after the payment on SIPS, the
page is redirected to
/payment/sips/dpn
with a POST request. Since thesession cookie has the attribute
SameSite=Lax
and the HTTP request isa POST, the cookie will be filtered out:
https://drive.google.com/file/d/1xfx3YWkfonO3nK-8Rew45uSoR4lkpjpY/view?usp=sharing
(Browser information: This cookie didn't specify a "SameSite" attribute
when it was stored and was defaulted to "SameSite=Lax," and was blocked
because the request was made from a different site and was not initiated
by a top-level navigation. The cookie had to have been set with
"SameSite=None" to enable cross-site usage)
As a result, the server creates a new one. This is the reason why the
transactions list is empty: the list is based on a new session.
Adding the attribute
save_session = False
to the route will preventthe server from creating a new session cookie and adding it in the POST
response.
OPW-2518377