Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HSBC secure-epayment module


Guest

Recommended Posts

Martin,

 

Another thing to check is in the oscommerce admin section, under configuration | sessions. Make sure you have the following:

 

Force Cookie Use: False

Check SSL Session ID: False

Check User Agent: False

Check IP Address: False

Prevent Spider Sessions: True

Recreate Session: True

 

Let me know how you get on.

 

Regards

 

Neil Westlake

Link to comment
Share on other sites

  • Replies 1.2k
  • Created
  • Last Reply

Top Posters In This Topic

Check in includes/configure.php that your http and https cookie domains are correct. Neither of them should contain http:// or https:// - the cookie_domain is a domain and not a url.

 

Vger

Link to comment
Share on other sites

Martin,

 

Another thing to check is in the oscommerce admin section, under configuration | sessions. Make sure you have the following:

 

Force Cookie Use: False

Check SSL Session ID: False

Check User Agent: False

Check IP Address: False

Prevent Spider Sessions: True

Recreate Session: True

 

Let me know how you get on.

 

Regards

 

Neil Westlake

 

Thanks for the responses.

 

Force Cookie Use: False

Check SSL Session ID: False

Check User Agent: False

Check IP Address: False

Prevent Spider Sessions: True

Recreate Session: True

 

changed to this setting double checked the cookie paths all ok. Still the same result.

Link to comment
Share on other sites

hello,

 

I've been using oscommerce on a secure (https) server for sometime now, installed many contributions etc, and previously been running with the securetrading payment method which has been working fine.. I'm trying to install this HSBC module (Version 3.1) but im' having a little trouble, so wondering if any of you guys might beable to help.. (or even point me towards a better/different version to try... anyway..

 

Here's what i've done so far:

 

i've checked in my admin>configuration>sessions and i have the following settings:

 

Force Cookie Use: False

Check SSL Session ID: False

Check User Agent: False

Check IP Address: False

Prevent Spider Sessions: True

Recreate Session: True

 

--------------------------------------------------------------------------------

I've uploaded to includes>modules>payment>hsbc.php and changed the following inside:

--------------------------------------------------------------------------------

 

changed the path to my linux files which i uploaded from the HSBC CD:

 

//Path where the TestHash.e executable is located

$path='/home/****/cgi-bin';

 

 

 

I've changed

 

//Returns the hash

$hash=trim($ret[1]);

return($hash);

 

to include this between the last two lines:

 

print ">>>>>>$hash<<<<<<"; #<put this line in>

 

(in the checkout process it shows my sucessfully generated codes)

 

I've changed the currency to

 

$currency_code = 'GBP';

 

 

I've left the time settings on "0" as im' on GMT..

 

--------------------------------------------------------------------------------

in checkout_process.php

 

i've added this before the include for application_top.php

 

 

if (!empty($_POST['MerchantData'])) $_GET['osCsid']=$_POST['MerchantData'];

 

 

----------------------------------------------------------------------------------

 

I've also added this to hsbc_return.php

 

if ($order_hash!=$hash) die ("Hacking atempt! - orderHash=".$order_hash." hash=".$hash);#

 

which showed that my store is generating the codes:

 

Hacking atempt! - orderHash=E6PpsswlAXRzvrmNysC9jurcWGg= hash=eALQYg4eprqDC+9EkNBjH9lNNKs=

 

 

and

 

this:

 

tep_redirect(tep_href_link(FILENAME_CHECKOUT_SUCCESS, '', 'SSL'));

 

to this:

 

tep_redirect(tep_href_link(FILENAME_CHECKOUT_PROCESS, '', 'SSL', true));

 

--------------------------------------------------------------

 

 

i think that's all i've done.. i've entered my client ID which ends in GBP, and my hash key.. and each time i try and make an order, after the last page of the oscommerce checkout process it quickly says "CPI Thankyou" and then instantly takes me to hsbc_return.php and says "hacking attempt" and show my order hash and has (which are both generated)

 

:(

 

has anyone got any ideas about what i might be able to check? i can't even get to the hsbc page to enter any card details :(

 

Thanks in advance,

Kev

:)

Link to comment
Share on other sites

i've not tried changing in hsbc.php the time bit to this:

 

//Change the 0 if your server is located at a different GMT time

// $time=($time+(0*3600));

// $time=$time*1000;

$time = $time."000";

 

 

and i'm still getting straight back to the hacking attempt page :(

Link to comment
Share on other sites

^^oops.. in the previous post i meant that i HAVE changed the above code to what i've pasted..

 

i've also done this and still get bounced straight to the hacking attempt page:

 

'CpiDirectResultUrl'=>tep_href_link('checkout_process.php', '', 'SSL', true),

'CpiReturnUrl'=>tep_href_link('hsbc_return.php', '', 'SSL', true),

Link to comment
Share on other sites

i've not tried changing in hsbc.php the time bit to this:

 

//Change the 0 if your server is located at a different GMT time

// $time=($time+(0*3600));

// $time=$time*1000;

$time = $time."000";

and i'm still getting straight back to the hacking attempt page :(

 

You are getting a hash generation which is promising, but your hash values should match and they dont as you can see ! That is why you get your hacking attempt. I would check your hash key is correctly typed.

 

Cheers Eric.

Link to comment
Share on other sites

You are getting a hash generation which is promising, but your hash values should match and they dont as you can see ! That is why you get your hacking attempt. I would check your hash key is correctly typed.

 

Cheers Eric.

 

 

hello Eric, thanks for your speedy reply!!

 

do you mean that these two bits don't match up?

 

orderHash=E6PpsswlAXRzvrmNysC9jurcWGg=

hash=eALQYg4eprqDC+9EkNBjH9lNNKs=

 

if so, i can keep checking myself until they do!!

Thanks again :)

 

 

----------------------------------------------------------

 

and hello Vger!!

 

thanks too for replying so quick, i'm already starting to pull out what's left of my hair!!! ;)

 

sorry to be dumb, but is is the the $path='/home/****/cgi-bin'; bit which you think i should look at, or something different?

 

Thanks again, your help is soooooo much appreciated!!!

 

Kev :)

Link to comment
Share on other sites

hello Eric, thanks for your speedy reply!!

 

do you mean that these two bits don't match up?

if so, i can keep checking myself until they do!!

Thanks again :)

----------------------------------------------------------

 

Yes the long scrambled texts should match , else the script "dies".

 

 

 

I bow to Vger's better knowledge on this subject, however I had trouble generating the hash key on my server, it turned out to be the required library (well the version of it) was not installed on the server. So I would say that the fact that you are getting a hash key would suggest your path to your library is correct.

 

Cheers Eric.

Link to comment
Share on other sites

Check in includes/configure.php that your http and https cookie domains are correct. Neither of them should contain http:// or https:// - the cookie_domain is a domain and not a url.

 

Vger

 

Would it require the "www." to be removed also?

 

Thanks

Eric.

Link to comment
Share on other sites

Full ssl certs are made out either to www.yourdomain.com or just yourdomain.com - depending on your server setup. For https_cookie_domain on a full ssl you should use the domain your full ssl cert is made out to, but if it's a shared ssl then it should not contain www. at all

 

This is the Library path I'm referring to:

//Path where the TestHash.e executable is located

$path='/var/www/cgi-bin/';

 

putenv("LD_LIBRARY_PATH=$path");

 

If you look through this thread you'll find the name of the library file that must be installed at that location (sorry, can't remember it offhand).

 

Vger

Edited by Vger
Link to comment
Share on other sites

Full ssl certs are made out either to www.yourdomain.com or just yourdomain.com - depending on your server setup. For https_cookie_domain on a full ssl you should use the domain your full ssl cert is made out to, but if it's a shared ssl then it should not contain www. at all

 

 

Vger

 

Hi thanks for the suggestions,

 

Ive tried both ways, any further ideas? I am getting an order entered wether the customer completes the hsbc cpi or cancels it both return to the "your shopping cart is empty" screen.

 

It has been working previously i have no idea whats changed. The only thing I can think of is I installed Purchase without account contribution, which i removed and rolled back to my previous install, as it was returning customer cancelled at the end of the cpi process.(so money was taken but no order - not the best)

 

Ive done a compare to a clean version on OSc nothing looks out of place, all ammends have been done as per instructions.

 

What do the true false values represent in the redirects??, people seem to have them all ways round.!! :huh:

 

I have my sessions stored set to mysql. Is that right?

 

Could someone post or pm working hsbc_return.php,hsbc.php files perhaps I could do a compare.

 

Stuck completely..

 

cheers Eric.

Link to comment
Share on other sites

Hi

 

Like many before me, judging by the pages I have read on this thread I am struggling with implementing the hsbc interface. With the forums help I have cracked some of the problems eg. I have sorted out the hashes and got to the hsbc pages. What I find often happens on return is that the session information seems to be lost and I end up on the shopping page telling me that the cart is empty - although the items I ordered are in fact in it still. The url for this page has the value $sequence from hsbc.php as the osCsid value (which is passed to hsbc as OrderID). Alternatively I end up on the order success page but there is no order in the database.

 

I have set the sessions configurations as per the suggestion in recent postings. I have set the redirect at the bottom of hsbc_return.php to

$MerchantData = $_POST['MerchantData'];

tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode($error), 'SSL', false, false).'&osCsid='.$MerchantData);

 

I have also altered the return urls to include the session id as previously suggested eg.

 

'CpiDirectResultUrl'=>tep_href_link('checkout_process.php', '', 'SSL', true),

'CpiReturnUrl'=>tep_href_link('hsbc_return.php', '', 'SSL', true),

 

I'm definitely at the tearing hair out stage and any suggestions would be welcome.

Link to comment
Share on other sites

Hi

 

Like many before me, judging by the pages I have read on this thread I am struggling with implementing the hsbc interface. With the forums help I have cracked some of the problems eg. I have sorted out the hashes and got to the hsbc pages. What I find often happens on return is that the session information seems to be lost and I end up on the shopping page telling me that the cart is empty - although the items I ordered are in fact in it still. The url for this page has the value $sequence from hsbc.php as the osCsid value (which is passed to hsbc as OrderID). Alternatively I end up on the order success page but there is no order in the database.

 

I have set the sessions configurations as per the suggestion in recent postings. I have set the redirect at the bottom of hsbc_return.php to

$MerchantData = $_POST['MerchantData'];

tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode($error), 'SSL', false, false).'&osCsid='.$MerchantData);

 

I have also altered the return urls to include the session id as previously suggested eg.

 

'CpiDirectResultUrl'=>tep_href_link('checkout_process.php', '', 'SSL', true),

'CpiReturnUrl'=>tep_href_link('hsbc_return.php', '', 'SSL', true),

 

I'm definitely at the tearing hair out stage and any suggestions would be welcome.

 

Here's what I have in mine

 

if ($CpiResultsCode=='0')

{

tep_redirect(tep_href_link(FILENAME_CHECKOUT_SUCCESS, '', 'SSL',false).'?osCsid='.$GLOBALS["MerchantData"]);

}

 

and then the same for the redirect later on based on allowed errors,

 

if (in_array($CpiResultsCode,$codes))

{

tep_redirect(tep_href_link(FILENAME_CHECKOUT_SUCCESS, '', 'SSL',false).'?osCsid='.$GLOBALS["MerchantData"]);

}

 

Email me if you want the complete file, martin(at sign :-) )aeonit.co.uk

 

Martin

Link to comment
Share on other sites

i put some code in the hsbc return to see why i was getting the hack attempt and i got this:

 

Hacking atempt!! - orderHash=LpmOlP/t0KTXGjQd3PAsq/FHIYg= hash=/kunden/homepages/16/d30073812/htdocs/temp/waterworks/hsbc/TestHash.e

 

any ideas?

Link to comment
Share on other sites

This is the Library path I'm referring to:

If you look through this thread you'll find the name of the library file that must be installed at that location (sorry, can't remember it offhand).

 

Vger

 

 

hello, Thanks again for your help.. I've found a version of the libCcCpiTools.so file that was already on our server.. here's the info from it:

 

 

ELF Header:
 Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
 Class:							 ELF32
 Data:							  2's complement, little endian
 Version:						   1 (current)
 OS/ABI:							UNIX - System V
 ABI Version:					   0
 Type:							  DYN (Shared object file)
 Machine:						   Intel 80386
 Version:						   0x1
 Entry point address:			   0x5090
 Start of program headers:		  52 (bytes into file)
 Start of section headers:		  65208 (bytes into file)
 Flags:							 0x0
 Size of this header:			   52 (bytes)
 Size of program headers:		   32 (bytes)
 Number of program headers:		 3
 Size of section headers:		   40 (bytes)
 Number of section headers:		 26
 Section header string table index: 23

Dynamic section at offset 0xf1b8 contains 21 entries:
 Tag		Type						 Name/Value
0x00000001 (NEEDED)					 Shared library: [libc.so.6]
.......etc... etc...

 

do you know if this might be an older version like you said, here's the same info from the CD i received recently from HSBC:

 

ELF Header:
 Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
 Class:							 ELF32
 Data:							  2's complement, little endian
 Version:						   1 (current)
 OS/ABI:							UNIX - System V
 ABI Version:					   0
 Type:							  DYN (Shared object file)
 Machine:						   Intel 80386
 Version:						   0x1
 Entry point address:			   0x5090
 Start of program headers:		  52 (bytes into file)
 Start of section headers:		  65208 (bytes into file)
 Flags:							 0x0
 Size of this header:			   52 (bytes)
 Size of program headers:		   32 (bytes)
 Number of program headers:		 3
 Size of section headers:		   40 (bytes)
 Number of section headers:		 26
 Section header string table index: 23

Dynamic section at offset 0xf1b8 contains 21 entries:
 Tag		Type						 Name/Value
0x00000001 (NEEDED)					 Shared library: [libc.so.6]

 

and here's the problem i was getting:

 

Hacking atempt! - orderHash=E6PpsswlAXRzvrmNysC9jurcWGg= hash=eALQYg4eprqDC+9EkNBjH9lNNKs=

 

so i'm not getting to the hsbc pages so far, and the Hash's dont' match for some reason :(

Thanks again:)

any suggestions much appreciated!!!!!!

kev.

 

(it looks like both of the versions are version to me, but i'm only guessing :( )

Edited by kev@num
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...