Problem with using session to pass checkout info

[rbclark]

Hello!

First off, I want to say thank you for this gem, I have been using it for a project and it has been working nicely. I have been running into 1 problem however and I was hoping someone could point me in the right direction of patching it. I followed the setup example on the homepage however I noticed that in doing so I opened up a bit of a security hole in my site.

I have modified my checkout controller to be as follows

class Purchase::CheckoutController < ApplicationController
  include WepayRails::Payments
  def index
   begin
      @order = Order.find(session[:order_id])
    rescue
      redirect_to :root
      flash[:warning] = "You do not currently have any pending orders."
      return
    end
    @item = Item.find(@order.item_id)
    checkout_params = {
      :amount => @order.total.to_f,
      :short_description => "Order",
      :long_description => "Your order for #{@order.quantity} #{@item.name.pluralize(@order.quantity)} ",
    }
    init_checkout_and_send_user_to_wepay(checkout_params)
  end
end

and my finalize controller to be:

class Purchase::FinalizeController < ApplicationController
  def index
    # Fetch the WepayCheckoutRecord that was stored for the checkout
    wcr  = WepayCheckoutRecord.find_by_checkout_id(params[:checkout_id])

    @order = Order.find(session[:order_id])
    @order.wepay_checkout_record = wcr
    @order.paid = true if wcr.state == 'authorized'
    @order.save

     redirect_to :root, :notice => "You have completed your purchase."
  end
end

However I have noticed that since I am using the session, if a user goes back and creates a new order then they are able to override the first order stored in the session. I have tried looking into a way to save the session in the checkout controller however I have not found a way to do so. Am I missing something here that might work to get rid of this issue?

[adamthedeveloper]

Hi rbclark,

What I recommend is to find the order record based on the id of your authenticated user. In your orders table, do you have a column for user_id or client_id or something like that that ties the orders to a given user?

If you look at the example on the wepay-rails readme, you'll see we get the cart based on the current_account object. I agree that using the session to store an order id is not a good idea.

Are you using devise or some other authentication gem? What does your orders table look like?

Thanks - Adam

[rbclark]

Thank you very much for your reply! Thats where I've been running into a problem, as of right now I am attempting to achieve the setup without actually adding an authentication system, more or less users place the order and thats it. The orders table structure is as follows:

t.integer  "item_id"
t.string   "name"
t.string   "email"
t.string   "street_address"
t.string   "city"
t.string   "state"
t.integer  "quantity"
t.decimal  "total"
t.boolean  "paid",           :default => false
t.datetime "created_at",                        :null => false
t.datetime "updated_at",                        :null => false

It seems with my setup however the only way of reliably pulling off what I am trying to do is by hooking the order and the checkout record ID together before redirecting which doesn't seem possible.

[thinkmorebetter]

Could you use the reference_id field in the Wepay checkout to store the order_id and then look it up using it in the FinalizeController?

[adamthedeveloper]

Agreed.....

[rbclark]

Thank you very much for pointing out the existence of that, I did originally try that however it caused an error the first time, most likely due to my mistake. I just went and tried it out again and it worked flawlessly, thank you again for this and the great gem!

[adamthedeveloper]

You're welcome! Glad the gem is working out for you.