Announcement

Collapse
No announcement yet.

Issue With Miva Merchant Cookies - Please Verify

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Issue With Miva Merchant Cookies - Please Verify

    I discovered an issue earlier this week that I believe is a bug, but it's really hard to verify that since 1) We don't run a stock Miva Merchant store (who does really) and 2) This has to do with placing an order (so it makes it hard to test on someone else's store). Before I tear my hair out or submit any type of official bug to Miva Merchant, I would like some help verifying that my stores aren't the only ones having this issue.

    Back in 2010, we set up a post-order account creation. The setup is super simple and we never had a problem with it (we highly recommend it to everyone not in our industry; the results are staggering). Simplified, the process is basically a copy of the customer form from ACAD placed on the INVC screen with as much information prefilled from the order as possible. The form then submits to SFNT, which then redirects (old-school meta redirect) to a custom DASH screen we created.

    Fast forward to 2012 and we finally got around to upgrading to PR7 where Miva Merchant redid all of their cookies (I understand the changes, I like the changes, just hear me out). Since the upgrade, we have been having a problem that I just discovered this week (the problem is so subtle that we've never received a customer email about it).

    In the old setup (pre-PR7), when the customer got to the INVC screen and was presented with the create your account form, they simply enter a password, hit submit, and then would be sent to their account dashboard (DASH). Once on this screen they could see their order and account information and even had an option to print their order receipt if they didn't do so before creating the account.

    With the new setup (post-PR7; we're actually on PR8 which I know isn't the latest and greatest), the process is breaking down. What is happening now, is when the customer gets to the INVC screen and is presented with that same exact form, they can still enter a password and hit submit, but they never make it to the DASH screen. The account does get created successfully, they are just not logged into the newly created account, so when they try to access DASH, they are kicked back to LOGN. I did a number of tests and tried to troubleshoot the problem the best I could, and this is what I found (and what I would like to see confirmed):

    When on the INVC screen, the order is created the and the customer's basket is deleted (nothing new). The basket-id cookie that contains the session-id however, is not expired. If the customer goes from INVC to any other Miva Merchant screen/page, the cookie persists, but it now points to a non-existent basket. Miva Merchant assigns a new session-id that you can access using the global:basket:session_id token, but the cookie is never updated properly. Now typically, the customer never notices this because when they try do something that interacts with the basket, the basket-id cookie is finally updated.

    Now there could very well be more to this problem, but this is what I've discovered so far. I spent the last 2 days working on this and I have a less-than-pretty fix in place using the toolkit in a couple of places, but I would very much like to work to get this fixed.

    So how can you help? If you are a store owner, there are two fairly simple ways you can see if you are experiencing this same problem. (Please make note of your Miva Merchant version if you do try to help)
    1) If you have the post-order registration on your INVC screen (preferably a non-module version just to limit any behind the scenes fixes they might employ), then place an order WITHOUT using an account. Upon completion of the order, use your form to create an account. If you are logged in to your new account, then I've gone crazy and you are not experiencing this problem. If you are NOT logged in, then you are in the same boat I am in.
    2) If you don't use the post-order registration or you have a module version installed, then you can use something like Firebug or Chrome developer tools to watch your cookies. Before you hit submit on the OPAY screen, look at your mm5-X-basket-id cookie value. Once you hit submit and complete your order, does that cookie stay the same? Click to another Miva Merchant page (SFNT or LOGN), is the cookie value still the same? If so, then you are in the same boat as me.

    So what was my (temporary) fix? The fix (as always) lies in the tool kit. I used the headeroutput/vheaderoutput functions to expire the cookie on INVC and then create a new one if the customer tries to create an account. If this turns out to be a widespread bug I can post the quick fix if needed.

    tldr: Cookies aren't expiring after an order is placed, therefore maintaining a reference to a non-existent basket record.

    #2
    Re: Issue With Miva Merchant Cookies - Please Verify

    Hi Brandon,

    Unfortunately our sites don't utilize a post-order registration so I cannot test. However, I'm wondering if your issue is related to the session ID not passing to non-secure pages which was a new setting introduced in PR7.

    You mentioned that your process posts to the SFNT page and then redirects...is the SFNT loading non https when the form submits? If so it might explain the issue - with the new cookie / session management that comes with PR7 although the cookie is established and won't expire the proper session ID won't pass from secure to non-secure pages. We ran into a similar issue because our site's homepage and other pages are non-miva pages which replicates the same issue. I included some posts below that cover the nuances of the issue:

    http://extranet.mivamerchant.com/for...to-login-twice
    http://extranet.mivamerchant.com/for...ining-Constant
    http://extranet.mivamerchant.com/for...ropping-in-PR7

    Hopefully this helps or maybe I'm far off base...either way good luck :)

    Comment


      #3
      Re: Issue With Miva Merchant Cookies - Please Verify

      The SFNT screen is secure. The redirect to DASH is also a secure page.

      I've seen a number of threads dealing with the HTTP/HTTPS cookie issues, but I don't think those apply here.

      Thanks for the ideas though.

      Comment


        #4
        Re: Issue With Miva Merchant Cookies - Please Verify

        Hi again Brandon,

        No problem. After re-reading your original post I can see why the http/https PR7 issues most likely don't relate to this (was the first thing that popped into my head). So I decided to reconfigure my dev store to see if I can recreate (I like the idea of adding post-order account creation to my store so...). Here is what I found after placing several test orders:

        Scenario #1
        1. Placed ACAD similar form on INVC screen that goes to ACED screen (hidden fields are: name="Action" value="ICST" & name="screen" value ="ACED").
        2. Placed order without logging into an account (noted basket-id cookie value)
        3. After order processed filled out new account form on INVC screen and processed.
        4. Account is created and user sent to the ACED screen
        5. mm5-XXX-basket-id cookie value does NOT change I'm NOT logged in

        Scenario #2 (push through multi-page redirect)
        1. Placed ACAD similar form on INVC screen that goes to redirect miva page (hidden fields are: name="Action" value="ICST" & name="screen" value ="LOGN_REDIRECT"). The 'LOGN_REDIRECT' screen does the following:
        Code:
        <meta http-equiv="refresh" content="0;url=&mvt:global:sessionurl;Screen=LOGN_REDIRECT2">
        The second redirect screen does the following:
        Code:
        <meta http-equiv="refresh" content="1;url=&mvt:global:secure_sessionurl;Screen=ACED">
        2. Placed order without logging into an account (noted basket-id cookie value)
        3. After order processed filled out new account form on INVC screen and processed.
        4. Account is created and user sent to throught the redirect screens and then to the ACED screen
        5. mm5-XXX-basket-id cookie value DOES change but....it appears I'm still NOT logged in??

        I will continue to test but wanted to share what I learned so far...

        Comment


          #5
          Re: Issue With Miva Merchant Cookies - Please Verify

          Thanks for going through that work to test on your store. That is really helpful and the fact that we are both experiencing the same problem starts to point to a real problem.

          One more thing you can play with to see if you are seeing what I see is to print your Miva Merchant session id on the page.
          Code:
          &mvt:global:basket:session_id;
          One of the things I noticed was that after placing the order and the cookie persists, my basket session id was no longer matching the mm5-X-basket-id cookie value.
          Last edited by Brandon MUS; 12-26-12, 02:39 PM.

          Comment


            #6
            Re: Issue With Miva Merchant Cookies - Please Verify

            No problem at all - if we move forward with adding this feature would get there eventually anyways :)

            One of the things I noticed was that after placing the order and the cookie persists, my basket session id was no longer matching the mm5-X-basket-id cookie value.
            Yes, I noticed this as well and think that is why I was able to get the cookie value/content to change in my "Scenario #2" above by pushing through the new session ID

            Code:
            url=&mvt:global:secure_sessionurl;
            I'm off for the day - will pick this up again tomorrow...

            Comment


              #7
              Re: Issue With Miva Merchant Cookies - Please Verify

              I may be able to point you in the right direction.

              When you place an order and you are not logged in, your basket session ID expires on invoice. This is because the basket gets converted to an order so the basket id no longer available in the basket table.

              This is why you see the session id changing when you leave invoice. Miva is assigning you a new basket Id.

              In PR7 cookie and session management was re-written to be more secure. There are now separate secure and non secure cookies needed in order for you to properly be logged in.

              You need the secure cookie AND the non secure cookie in order to be logged in properly. This is why your account create is failing Post PR7. Since you are on a secure page and immediately going to another secure page the new non secure cookie is never being written.

              There are two ways you can fix this.

              1. Take the user to a non secure Miva page (which will set the new non-secure miva cookie) and have this page submit the form contents for the create account.

              2. Use a module like Easy Account Create from Phosphor media to handle this for you

              http://www.phosphormedia.com/mm5/mer...=pm_easy_accnt
              Brennan Heyde
              VP Product
              Miva, Inc.
              [email protected]
              https://www.miva.com

              Comment


                #8
                Re: Issue With Miva Merchant Cookies - Please Verify

                So this seems to confirm my problem. Why doesn't Miva Merchant create a non-secure cookie when on a secure page? As far as I am aware, you are still able to designate a cookie as non-secure on https:// pages so that http:// page can still access it. Say my site was delivered using HTTPS on 100% of the pages (a move I've heard of some sites making), would Miva Merchant simply not work because a non-secure basket cookie would never be set?

                Comment


                  #9
                  Re: Issue With Miva Merchant Cookies - Please Verify

                  Because many PCI scanners fail people for doing it.
                  Thanks,

                  Rick Wilson
                  CEO
                  Miva, Inc.
                  [email protected]
                  https://www.miva.com

                  Comment


                    #10
                    Re: Issue With Miva Merchant Cookies - Please Verify

                    So if a site was 100% HTTPS, Miva Merchant wouldn't function? Or is that not accurate?

                    Comment


                      #11
                      Re: Issue With Miva Merchant Cookies - Please Verify

                      I don't think that's accurate, it fails on the hand off between non secure and secure, if you start secure and go non secure. We've designed it to go the other direction.
                      Thanks,

                      Rick Wilson
                      CEO
                      Miva, Inc.
                      [email protected]
                      https://www.miva.com

                      Comment


                        #12
                        Re: Issue With Miva Merchant Cookies - Please Verify

                        I'm confused then because my whole process I talk about in this thread is secure (INVC > SFNT > DASH is all secure), but the basket-id cookie never gets set until I go to a non-secure page. Would it be better to open a ticket? I might be able to tear apart our dev store and create a proof of concept if that's the best next step.
                        Last edited by Brandon MUS; 12-27-12, 03:12 PM.

                        Comment


                          #13
                          Re: Issue With Miva Merchant Cookies - Please Verify

                          I'm probably just wrong on my assumption. Burch is out of town until the 3rd, but maybe Brennan can jump back in on this. I don't think a ticket will help in this case.
                          Thanks,

                          Rick Wilson
                          CEO
                          Miva, Inc.
                          [email protected]
                          https://www.miva.com

                          Comment


                            #14
                            Re: Issue With Miva Merchant Cookies - Please Verify

                            Brandon,

                            I've read through this post with some interest as we make the EasyAccount that Brennen mentions. (And you are correct, no one should forsake this easy opportunity to get more customers creating accounts. Our reports show between a 30% and 70% increase in account creation...but i digress.)

                            It seems the problem is the use of the basket session id...so, I wonder what you use that ID for as our module doesn't use it (of course, it also does the work underneath the UI layer, but I still don't see why you need the basket id).
                            Bruce Golub
                            Phosphor Media - "Your Success is our Business"

                            Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
                            phosphormedia.com

                            Comment


                              #15
                              Re: Issue With Miva Merchant Cookies - Please Verify

                              The basket-id is required to determine if the customer is logged in. Since the customer's basket-id cookie is not erased or updated on the SFNT screen, the customer loses their basket on the second screen they view.

                              Does your module automatically log the customer in to their new account after they create it on the INVC screen?

                              Comment

                              Working...
                              X