Home » Forums » Ubercart » Support
11 replies [Last post]
Mon, 10/20/2008 - 13:31
bhylenski
bhylenski's picture
Offline
Joined: 10/20/2008
Juice: 44
Was this information Helpful?

Hello All,

I've currently got virtual merchant API set up for memberships information. I use virtual merchant and Amember for memberships and subscriptions.

But, now I'm trying to setup Uberkart and Virtual merchant for my shopping cart functionality. I believe I have everything configured properly, but when i submit my test transaction, I'm getting a simple drupal message...

***We were unable to process your credit card payment. Please verify your card details and try again. If the problem persists, contact us to complete your order.***

I was hoping to figure out, if Drupal is set up wrong, or whether VM is setup wrong, etc.

I'm needing a bit of guidance on setup. I've got Drupal 5.10 set up with the latest release of Uberkart (5.x - 1.5)

Thank you for your help.

Top
Wed, 10/22/2008 - 14:41
#1 View page
bhylenski
bhylenski's picture
Offline
Joined: 10/20/2008
Juice: 44
Moving Forward

I haven't receievd any responses, but I've been plugging away and I've had a few successes, but one major problem --- HTTP REFERER.

I currently have HTTP Referer turn on and my error is the same. I've printed my messages to the watchdog and I'm getting a 4003 error (HTTP REFERER not found) from Virtual Merchant. They told me they're not receiving anything??

But, when I turn off HTTP Referer, everything works properly. But, my Technology Officer and Security team are nervous about turning HTTP referrer off. So, my question is "What can I do to make this work or test to see if the referer is being passed properly?" Or does this module simply not work with HTTP REFERER on??

Any help would be appreciated

Top
Wed, 10/22/2008 - 15:14
#2 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
Re: Moving Forward

I don't think a lot of people have used that module... I certainly haven't and am unfamiliar with what this HTTP Referer setting is. Can you explain it a little further?

Top
Wed, 10/22/2008 - 16:20
#3 View page
bhylenski
bhylenski's picture
Offline
Joined: 10/20/2008
Juice: 44
Explanation

I have 6 months experience with Drupal. I've worked with a company called Amember to write a plugin, so Virtual Member and Amember work well together for subscriptions to our website. But, now we are creating an avenue for online sales of merchandise that our members need/want. We've tested a variety of shopping carts and Ubercart fits 99% of what we want and need. As well as being compliant with Drupal AND Virtual Merchant.

But, now that I have "everything" seemingly working properly. I've run up against this HTTP referer problem. So, the information I'm looking for is multi-tiered:

1. How does Ubercart interact with the HTTP referer?
2. Does it ever modify it or pass the referer to the gateway, or is it the gateway's responsibility to capture the referer.
3. Are there any reasons why Ubercart would pass or a gateway receive, '' ,for the HTTP referer?

So....
1. Will Virtual Merchant work with Ubercart with http Refered enabled?

2. If so, how do I do it, or where can I go for support?

But, if it will not work with HTTP referer enabled, then:

1. What are the ramifications/security issues with disabling HTTP referer? I'm utilizing server side HTTPS POST transactions (which are encrypted properly) already, so am I creating a security hole by disabling HTTP referer?

2. It's my understanding that if someone gets a hold of your pin, merchant ID and/or Account ID, then they can make a purchase, add to a batch or start the refund process, but they won't be able to extract money from you, correct?
So if the above is true, then working with virtual merchant with HTTP referer disabled should not carry any sort of security risk?

I know it's alot of info, but you asked for it Ryan...hahaha! Thanks again for your help, any sort of direction would be appreciated.

Bryan

Top
Wed, 10/22/2008 - 16:44
#4 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
Re: Explanation

The HTTP Referer field would be set by the browser in the headers or something of a GET / POST. (I don't know all the details there...) My hunch is your payment gateway has the option there so you can ensure people are only making transactions through a specific form. If you have some sort of private key you use to send payment requests, you're probably fine w/o the referer field. If you want to set it in your request, you'll probably have to edit the headers you're sending (using curl perhaps?). This isn't a very standard feature, though, and it can obviously be spoofed if anyone can just modify the headers of their request. HTTP Referer isn't a very reliable way of security... just another layer of obfuscation.

Top
Wed, 10/22/2008 - 16:49
#5 View page
bhylenski
bhylenski's picture
Offline
Joined: 10/20/2008
Juice: 44
Re: Re: Explanation

So, your telling me then, that Ubercart/VM gateway module does not modify the headers at all when sending the payment request. I've sorted thru the VM gateway module and they don't seem to be...so I guess, I just want to be sure the Ubercart is not modifying it in anyway.

If that is the case, then it must something on our end or Drupal that is passing an empty HTTP referer field to the gateway.

Bryan

Top
Wed, 10/22/2008 - 18:47
#6 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
Re: Re: Re: Explanation

No, the point is that if the VirtualMerchant module isn't doing it directly, then no one is sending an HTTP Referer in the header. It could only possibly be sent by that module in something like a curl POST or something (note: I haven't looked at the code), and neither Ubercart nor any other modules can affect that.

Top
Thu, 10/23/2008 - 10:59
#7 View page
bhylenski
bhylenski's picture
Offline
Joined: 10/20/2008
Juice: 44
Problem Solved

Okay Ryan, well I took your advice and decided to just try and pass the HTTP Referer myself. When I had a look at the code, CURL was sending the following information

  $ch = curl_init();;
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_VERBOSE, 0);
  curl_setopt($ch, CURLOPT_POST, 1);
  curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_close($ch);

Therefore, from you last email, I decided to add a piece of code that captured and sent the HTTP Referer to Virtual Merchant

  ****$refer = $_SERVER["HTTP_REFERER"];****
   
  $ch = curl_init();
  ****curl_setopt($ch, CURLOPT_REFERER, $refer);****
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_VERBOSE, 0);
  curl_setopt($ch, CURLOPT_POST, 1);
  curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  //die(print_r($data,true));
  $authorize = curl_exec($ch);
  curl_close($ch);

So, my final question then is why go thru the trouble of sending the http referer, if it's just being added programatically, thus it can be added by anyone...not much of a security measure? right?

Well, my transactions are working and http referer is still enabled, so I'm not sure why this wasn't included in the original code, but if the owner of this module wants to add a snippet of code to make HTTP referer work properly for Virtual Merchant, feel free to use the above method. Pretty simple, unless I'm completely missing something.

Thanks Ryan,
Bryan

Top
Sun, 11/16/2008 - 10:55
#8 View page
aswalla
aswalla's picture
Offline
Getting busy with the Ubercode.Spreading the word - Ubercart for president.
Joined: 08/17/2007
Juice: 105
Re: Problem Solved

Hi Bryan - I just read through your posts and I'm glad you found a fix for this. I'll add this to the module and get it posted in the next week or two. It would be great to get more time to run through this module to tighten it up but things have been busy so if you have other suggestions as you ran through troubleshooting it, please let me know.

cheers,
Aaron

Top
Tue, 12/09/2008 - 18:20
#9 View page
Melanie
Melanie's picture
Offline
Joined: 12/09/2008
Juice: 7
Modifying VM Payment Processing Code

Aaron / Bryan:

So may I understand this correctly, I must simply add a single line of code to have the cart work? I've been testing the fake credit card provided by Virtual Merchant, and below the $ amount, it is still not processing. ("We were unable to process your credit card payment. Please verify your card details and try again. If the problem persists, contact us to complete your order.")

May I ask which file contains the code to be modified?

Best regards,
Melanie

Top
Thu, 12/11/2008 - 00:29
#10 View page
Dean60
Dean60's picture
Offline
Joined: 12/03/2008
Juice: 40
Re: Modifying VM Payment Processing Code

If you guys can get the time to update the VM code and document what is needed to install the module with the current version of drupal/ubercart it would be greatly appreciated.

I installed all this about a month ago, got it working but had an SLL issue, I resolved my SLL issues but made the mistake of reinstalling everything and now I can't get it to work and I've got about a day and a half into this.

I really want to use drupal but at this point I am so frustarted I might start looking at other options as I am linked to virtual merchant as my gateway.

please help,

dean

Top
Thu, 12/11/2008 - 15:32
#11 View page
Dean60
Dean60's picture
Offline
Joined: 12/03/2008
Juice: 40
Re: Re: Modifying VM Payment Processing Code

I went back and redid my installs for the millionth time...

and I got it working again with drupal 5.11, ubercart 1.5 and the vm 1.2

I did use the 'ssl_salestax'=>'0', mod on line 116 with referrals off

I am about to attempt the 5.13 upgrade...

sorry for my previous post but I really did struggle with this for an entire 15 hours. It was a server issue, I had to do a ssh directory delete and rebuild everything for scratch.... I must of had some undeleted files or some other server side issues....

Top