Successful payments on already cancelled orders when using multiple tabs

[alexanderbug]

We have the problem that we receive some orders in the status "Canceled". Our analysis has shown that this is related to a security mechanism when the customer is in the checkout process and browses the store through multiple tabs.

We successfully receive the money from the customer, but the order is canceled.

to reproduce:

1. go to a PDP page and add the product to cart
2. open the PDP page in another tab in the same browser
3. with either tab complete the magento checkout with a post checkout payment selected (ex: online_bank_transfer_p24, Paypal)
4. redirect to the payment site, but do not complete the payment yet
5. switch to the other tab and continue to shop. The original order status will be set to cancelled in Magento
6. switch to payment tab and complete the payment process. The cancelled order is credited with a successful payment.

A good portion of the logic involved can currently be found in Payone_Core_Model_Handler_Cancellation::handle

brainstorming for magento-side solutions

• uncancel the order (risky)
• recognise order is cancelled and duplicate a new one (possible stock conflicts? order id disconnects)
• do not cancel pending orders until manually cancelled or timed out
  • notify customer session that a payment is pending or successfully processed with same quote id
  • empty cart in session after redirect 3rd party

brainstorming for payone-side solutions

• possiblity to break a 3rd party payment process?
• allow an order id to be updated after processing?

@fjbender & @igloominusx fyi

[hreinberger]

For the record: we're on it. thx @alexanderbug and @igloominusx for the thorough analysis!