Printable View
How to we solve this problem? Maybe I'm just not seeing the answer?
You configure your gateway with a post-payment URL to redirect to, however it wants to POST variables to the checkout/complete.html (part of ModuleIsotopeCheckout), however in 2.10+ this becomes a problem because it checks the token, as we can't pass the token, as it's generated per page request, and NOT by the payment gateway.
Do I just disable the token request permanently?
I disabled the token system on 2.10. On 2.11 the token should stay the same for an entire session in the frontend, I requested that because I kept getting a yellow box complaining about invalid tokens. Can the token not be passed if you know it beforehand? I can imagine that not all payment gateways will support any return value...
It's not my system, I'm only coding the Isotope Payment Gateway, so I can't upgrade touch the server installation. The Token cannot be passed to the payment gateway anyway, as they don't preserve anything. Their results page is generated with only static or variables about the payment result, so creating the token would be impossible. I guess the only solution would be to disable the token system completely, since it's only 2.10.
Hmmm, in this specific case that is a problem. But I guess you are saying that even in 2.11 this would be a problem and you'd have to disable the system?
Perhaps, in such cases, exceptions should be able to be added to the token system (like accept POST data variables a, b and c from domain xyz.com without token). If the exceptions need to be added manually it is not a security problem per se if the origin can't be faked. What do you think? Would that help you, would it be a good solution and should I request it?
Hello Thyon, Ruud,
I wanted to know the end of your story because I have the same problem now on my homemade gateway. I'm on Contao 2.11.6 with Isotope 1.4.0 RC1 and either page I call (complete.html or another one not from checkout module), I have the problem.
Does an update has been planned for this issue ? If it's not the case, is there a simple way to add an exception to the token system like you explain in your last post ?
Thanks in advance.
Regards,