Losing login status when switching to payment gateway

We are integrating a payment gateway that has the following workflow:

  1. initiate a payment request
  2. receive payment URL from gateway
  3. redirect user to URL to pay
  4. user pays
  5. gateway redirects the user back to our website

The problem that I’m facing is that on their way back, they are no longer logged into the system. The only suspect that I have is that the gateway itself also holds a JSESSIONID cookie, otherwise, I’m not sure why the user is being logged out upon return. Any ideas would be greatly appreciated.

1 Like

Sorry for the late reply, but if you’re still having this issue here’s something that might help.

I’ll just start from the beginning, because I’m not sure the exact implementation of your system.

First off, The way that a UserAccount is logged in in moqui is whether the session's ExecutionContext has a user.

In the qapps screen here the user is redirected to /Login if the ExecutionContext's session has no user. Also see this for how jsessionids are created and handled.

When redirecting the user to a URL for a payment gateway, I would imagine that the HTTP request has some kind of authentication to ensure who the User is, how much this user needs to pay, and who the payment is to. This is typically done with API credentials or an API key for the server that you are redirecting your user too.

However, the problem that you have is that after the gateway redirects the user to your website, the user isn’t authenticated. The user’s session is not there and the jsessionid cookie probably got deleted, because the user was redirected to a different website. So the problem that you have is that users are not being authenticated properly after being redirected to a different website. I’m not sure what the API looks like for your payment gateway, but I would imagine that this payment gateway has a way to authenticate redirected users. Whether that’s a username and password, or a token I am not sure, but it sounds like when the user is redirected, you need to authenticate them automatically based on the request that is sent to your server.

If I were you, I would find whatever protocol the payment gateway uses for authentication, and create a service in a specified place that takes in the parameters necessary for this authentication protocol and verify that the parameters / credentials are correct. Once you have done that, import any data you need into the database and log the user in. When writing this service, if you have for sure authenticated that the user is authentic, then you can use ec.user.internalLoginUser(username) method to login the user without a password. But be very careful with this service and method because if constructed improperly, it is basically the definition of a security risk.

Hope that your integration goes well :slightly_smiling_face:

Hi @michael thank you for putting the time and effort thinking about this. I think your suggestion is really spot on. It doesn’t matter why I’m losing the login status, it could be many things, and so the idea to use internalLoginUser() after making all the checks and balances seems to be a proper solution. I just need to secure it and make sure no identity hijacking can happen.

Another important thing to note is that I do not lose my login status when leaving moqui, but rather the moment I lose login status is when the gateway redirects the user back to me. So whatever is the reason it’s beyond my control because it’s simply something happening on the user browser.

Also I am now almost certain that the problem is JSESSIONID because I have integrated into multiple payment gateways, and only those that have JSESSIONID are causing this issue, so it must be a cookie overwrite upon URL redirect. Maybe this is simply a security feature on the browser to prevent some sort of cross-site attack.

Now regarding what you asked about the API, there is literally none. The API is used before redirecting the user to pay, once the user is over there, there is no login stuff, just entering card information and paying, which then leads to another GET request back to my website but with a loss of login as described above.

Thank you again for sharing your thoughts. I think I know exactly what to do now.

1 Like

I’m glad that I could help. Good luck getting that working!

How about sending moquiSessionToken to payment gateway and then payment gateway sending moquiSessionToken back?

Hi @zhangwei

Hmm interesting idea and would add more security. I can set one of the UDFs (User Defined Fields) provided by the gateway which might do the job.

However, the session token (I guess it’s better to use X-CRSF-Token) as far as I understand it does not log you into the system. From all my previous work on mobile apps with moqui I can only ever login using either A) the JSESSIONID or B) the api_key. Without these two I cannot proceed. Is my understanding incorrect here?

Hi @taher ,

I have tested it. And Yes, moquiSessionToken does not log user into the system. You have to find another way.