dongwei4103 2011-06-10 20:28
浏览 87
已采纳

RBS Worldpay(HTML重定向)中的付款响应(回拨)功能无法使用我的Cookie和会话数据

I am currently working on integrating a PHP/MySQL-based e-commerce website I manage with the RBS Worldpay payment gateway. Here is my problem:

A customer fills up his shopping basket and as he does so, the contents get stored in the $_SESSION global array as well as being stored in a cookie. When the customer checks out he gets sent to the Worldpay pages to put in his payment details. I am using the "Payment response"/callback feature to redirect a successful payment to my own page, "confirmation.php", which tells the customer all is well, plus does some database queries in the background.

All fine!

HOWEVER, I also at this point wish to empty the shopping cart data from the $_SESSION array as well as get rid of the cookie. So fine, I just use:

$_SESSION['cart'] = array();
setcookie('cart', '', 0, '/');

But this doesn't work. And it has to do with the fact that the URL for this redirected page is actually https://secure-test.wp3.rbsworldpay.com/wcc/purchase rather than www.mysite.co.uk/confirmation.php. As a test, I had my confirmation page echo the phpinfo() and from the $_SERVER vars, everything seems to be fine, eg:

_SERVER["DOCUMENT_ROOT"]    /var/www/vhosts/mysite.co.uk/httpdocs
_SERVER["SCRIPT_FILENAME"]  /var/www/vhosts/mysite.co.uk/httpdocs/confirmation.php
_SERVER["SERVER_PROTOCOL"]  HTTP/1.0
_SERVER["REQUEST_METHOD"]   POST
_SERVER["QUERY_STRING"] installation=[xxxxxx]&msgType=authResult
_SERVER["REQUEST_URI"]  /confirmation.php?installation=xxxxxx&msgType=authResult
_SERVER["SCRIPT_NAME"]  /confirmation.php
_SERVER["PHP_SELF"] /confirmation.php
_SERVER["HTTP_USER_AGENT"]  WJHRO/1.0 (WorldPay Java HTTP Request Object)

So it seems that because of the fact that the URL is pointing to a different domain, my script can't access the $_SESSION and $_COOKIE data, nor manipulate it. I don't know how this Worldpay system is doing it, it's not an iframe or anything like that, but I suspect it has to do with the user agent - "WJHRO/1.0 (WorldPay Java HTTP Request Object)"

Is anyone familiar with this? How can I get around this?

Thanks for reading!

Michael

  • 写回答

1条回答 默认 最新

  • donglvlao8367 2011-06-10 21:08
    关注

    When WorldPay finishes processing payment (remember: you do not know what customer did there as all operations with card details were performed on WorldPay's site) it sends a POST request to you informing with the outcome of transaction (accepted, rejected, customer cancelled etc). It is done directly from their servers and not from customer computer/browser, therefore you cannot match this request with your existing checkout session (I assume you are doing some e-commerce site here) that belongs to the customer.

    When redirecting customer to WorldPay you need to pass additional information together with the required fields. Such fields have MC_ prefix and you can pass quite a few of them (I did this over 2 years ago and do not remember all the details).

    You need to send enough info in those fields (but as less as possible and encrypt them) so when such POST request from WorldPay comes to your confirmation.php you extract those additional fields and restore the session (look towards session_id() and related functions) or something similar (depends how you implement your session handling; in case if session data is stored in DB -- that's even easier -- you can easily impersonate the session as long as you know session id) and continue with the checkout.

    Keep in mind, that the output of your confirmation.php will be sent back to WorldPay and not to the customer. WorldPay will process that page first and then display it to the customer. Therefore this page should be VERY simple (very basic interface otherwise some tags can be removed by WorldPay) and it should just redirect your customer back to your website (for example, to real_confirmation.php) where you will have full access to the customer session etc and you will show the proper confirmation page. You can achieve such redirect with simple JavaScript or metatag (e.g. <meta http-equiv="refresh" content="2;url=http://www.example.com/real_confirmation.php">).

    You have to double check this as it was over 2 years as I have coded this and do not currently have all the code with me and situation/rules could change since then (P.S. we are no longer using WorldPay and therefore I cannot confirm that my code would 100% work now -- they may have done changes to the whole process since then).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题