-
Notifications
You must be signed in to change notification settings - Fork 23.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FW][FIX] payment_sips: prevent clearing the session cookie #72426
Closed
fw-bot
wants to merge
1
commit into
odoo:saas-12.3
from
odoo-dev:saas-12.3-12.0-OPW-2518377-payment_sips_sessions_cookie-awt-dO---fw
Closed
[FW][FIX] payment_sips: prevent clearing the session cookie #72426
fw-bot
wants to merge
1
commit into
odoo:saas-12.3
from
odoo-dev:saas-12.3-12.0-OPW-2518377-payment_sips_sessions_cookie-awt-dO---fw
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When buying a product on website shop, after the payment with SIPS, the page is redirected to an Error message: "We are not able to find your payment, but don't worry. You should receive an email confirming your payment in a few minutes. If the payment hasn't been confirmed you can contact us." To reproduce the error: 1. In Payment Acquirers, enable Sips 2. Go on website shop 3. Add a product to the cart, Checkout 4. Pay with Sips - Visa card number: 4100000000000000 5. Back to Web-shop, if the payment has been successfully processed, repeat steps 2 -> 4 Error: The message "Your payment has been successfully processed. Thank you!" is not displayed. Instead, the message "We are not able [...] you can contact us." is displayed. This message is displayed when: https://github.com/odoo/odoo/blob/5945806c151b13d9d4cc13aa0a6c96a6b1bbad5f/addons/payment/controllers/portal.py#L65-L69 i.e., when the transactions list is empty. Here is how to get the list: https://github.com/odoo/odoo/blob/5945806c151b13d9d4cc13aa0a6c96a6b1bbad5f/addons/payment/controllers/portal.py#L38-L42 It uses the session of the request. The cookie `session_id` is used to identify the current session. However, after the payment on SIPS, the page is redirected to `/payment/sips/dpn` with a POST request. Since the session cookie has the attribute `SameSite=Lax` and the HTTP request is a POST, the cookie will be filtered out: https://drive.google.com/file/d/1xfx3YWkfonO3nK-8Rew45uSoR4lkpjpY/view?usp=sharing (Browser information: This cookie didn't specify a "SameSite" attribute when it was stored and was defaulted to "SameSite=Lax," and was blocked because the request was made from a different site and was not initiated by a top-level navigation. The cookie had to have been set with "SameSite=None" to enable cross-site usage) As a result, the server creates a new one. This is the reason why the transactions list is empty: the list is based on a new session. Adding the attribute `save_session = False` to the route will prevent the server from creating a new session cookie and add it in the POST response. OPW-2518377 X-original-commit: b60e157
This PR targets saas-12.3 and is part of the forward-port chain. Further PRs will be created up to master. More info at https://github.com/odoo/odoo/wiki/Mergebot#forward-port |
Ping @adwid, @AntoineVDV
More info at https://github.com/odoo/odoo/wiki/Mergebot#forward-port |
@fw-bot r+ |
robodoo
pushed a commit
that referenced
this pull request
Jun 21, 2021
When buying a product on website shop, after the payment with SIPS, the page is redirected to an Error message: "We are not able to find your payment, but don't worry. You should receive an email confirming your payment in a few minutes. If the payment hasn't been confirmed you can contact us." To reproduce the error: 1. In Payment Acquirers, enable Sips 2. Go on website shop 3. Add a product to the cart, Checkout 4. Pay with Sips - Visa card number: 4100000000000000 5. Back to Web-shop, if the payment has been successfully processed, repeat steps 2 -> 4 Error: The message "Your payment has been successfully processed. Thank you!" is not displayed. Instead, the message "We are not able [...] you can contact us." is displayed. This message is displayed when: https://github.com/odoo/odoo/blob/5945806c151b13d9d4cc13aa0a6c96a6b1bbad5f/addons/payment/controllers/portal.py#L65-L69 i.e., when the transactions list is empty. Here is how to get the list: https://github.com/odoo/odoo/blob/5945806c151b13d9d4cc13aa0a6c96a6b1bbad5f/addons/payment/controllers/portal.py#L38-L42 It uses the session of the request. The cookie `session_id` is used to identify the current session. However, after the payment on SIPS, the page is redirected to `/payment/sips/dpn` with a POST request. Since the session cookie has the attribute `SameSite=Lax` and the HTTP request is a POST, the cookie will be filtered out: https://drive.google.com/file/d/1xfx3YWkfonO3nK-8Rew45uSoR4lkpjpY/view?usp=sharing (Browser information: This cookie didn't specify a "SameSite" attribute when it was stored and was defaulted to "SameSite=Lax," and was blocked because the request was made from a different site and was not initiated by a top-level navigation. The cookie had to have been set with "SameSite=None" to enable cross-site usage) As a result, the server creates a new one. This is the reason why the transactions list is empty: the list is based on a new session. Adding the attribute `save_session = False` to the route will prevent the server from creating a new session cookie and add it in the POST response. OPW-2518377 closes #72426 X-original-commit: b60e157 Signed-off-by: Antoine Vandevenne (anv) <AntoineVDV@users.noreply.github.com> Signed-off-by: Adrien Widart <adwid@users.noreply.github.com>
adwid
deleted the
saas-12.3-12.0-OPW-2518377-payment_sips_sessions_cookie-awt-dO---fw
branch
June 23, 2021 13:48
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When buying a product on website shop, after the payment with SIPS, the
page is redirected to an Error message: "We are not able to find your
payment, but don't worry. You should receive an email confirming your
payment in a few minutes. If the payment hasn't been confirmed you can
contact us."
To reproduce the error:
repeat steps 2 -> 4
Error: The message "Your payment has been successfully processed. Thank
you!" is not displayed. Instead, the message "We are not able [...] you
can contact us." is displayed.
This message is displayed when:
odoo/addons/payment/controllers/portal.py
Lines 65 to 69 in 5945806
i.e., when the transactions list is empty. Here is how to get the list:
odoo/addons/payment/controllers/portal.py
Lines 38 to 42 in 5945806
It uses the session of the request. The cookie
session_id
is used toidentify the current session. However, after the payment on SIPS, the
page is redirected to
/payment/sips/dpn
with a POST request. Since thesession cookie has the attribute
SameSite=Lax
and the HTTP request isa POST, the cookie will be filtered out:
https://drive.google.com/file/d/1xfx3YWkfonO3nK-8Rew45uSoR4lkpjpY/view?usp=sharing
(Browser information: This cookie didn't specify a "SameSite" attribute
when it was stored and was defaulted to "SameSite=Lax," and was blocked
because the request was made from a different site and was not initiated
by a top-level navigation. The cookie had to have been set with
"SameSite=None" to enable cross-site usage)
As a result, the server creates a new one. This is the reason why the
transactions list is empty: the list is based on a new session.
Adding the attribute
save_session = False
to the route will preventthe server from creating a new session cookie and adding it in the POST
response.
OPW-2518377
Forward-Port-Of: #72267