projects
/
freeside.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
double process / back button protection for self-service payments, RT#29168
[freeside.git]
/
fs_selfservice
/
FS-SelfService
/
cgi
/
selfservice.cgi
diff --git
a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
index
1372311
..
2b4bb43
100755
(executable)
--- a/
fs_selfservice/FS-SelfService/cgi/selfservice.cgi
+++ b/
fs_selfservice/FS-SelfService/cgi/selfservice.cgi
@@
-105,7
+105,7
@@
unless ( $nologin_actions{$action} ) {
my %cookies = CGI::Cookie->fetch;
my %cookies = CGI::Cookie->fetch;
- my $login_rv;
+ my $login_rv
= {}
;
if ( exists($cookies{'session'}) ) {
if ( exists($cookies{'session'}) ) {
@@
-178,15
+178,9
@@
unless ( $nologin_actions{$action} ) {
} # else session_id ne 'login'
} # else session_id ne 'login'
- } else {
- # there is no session cookie
- $login_rv = {};
- }
+ } # else there is no session cookie
if ( !$session_id ) {
if ( !$session_id ) {
- # XXX why are we getting agentnum from a CGI param? surely it should
- # be some kind of configuration option.
- #
# show the login page
$session_id = 'login'; # set state
my $login_info = login_info( 'agentnum' => scalar($cgi->param('agentnum')) );
# show the login page
$session_id = 'login'; # set state
my $login_info = login_info( 'agentnum' => scalar($cgi->param('agentnum')) );
@@
-211,7
+205,7
@@
if ( $result->{error} && ( $result->{error} eq "Can't resume session"
|| $result->{error} eq "Expired session") ) { #ick
$session_id = 'login';
|| $result->{error} eq "Expired session") ) { #ick
$session_id = 'login';
- my $login_info = login_info();
+ my $login_info = login_info(
'agentnum' => scalar($cgi->param('agentnum'))
);
do_template('login', $login_info);
exit;
}
do_template('login', $login_info);
exit;
}
@@
-633,7
+627,10
@@
sub payment_results {
my $auto = 0;
$auto = 1 if $cgi->param('auto');
my $auto = 0;
$auto = 1 if $cgi->param('auto');
- $cgi->param('paybatch') =~ /^([\w\-\.]+)$/ or die "illegal paybatch";
+ $cgi->param('payunique') =~ /^([\w\-\.]*)$/ or die "illegal payunique";
+ my $payunique = $1;
+
+ $cgi->param('paybatch') =~ /^([\w\-\.]*)$/ or die "illegal paybatch";
my $paybatch = $1;
$cgi->param('discount_term') =~ /^(\d*)$/ or die "illegal discount_term";
my $paybatch = $1;
$cgi->param('discount_term') =~ /^(\d*)$/ or die "illegal discount_term";
@@
-657,6
+654,7
@@
sub payment_results {
'country' => $country,
'save' => $save,
'auto' => $auto,
'country' => $country,
'save' => $save,
'auto' => $auto,
+ 'payunique' => $payunique,
'paybatch' => $paybatch,
'discount_term' => $discount_term,
);
'paybatch' => $paybatch,
'discount_term' => $discount_term,
);
@@
-1062,10
+1060,10
@@
sub do_template {
$fill_in->{$_} = $access_info->{$_} foreach keys %$access_info;
# update the user's authentication
$fill_in->{$_} = $access_info->{$_} foreach keys %$access_info;
# update the user's authentication
- my $timeout = $access_info->{'timeout'} || '
6
0';
+ my $timeout = $access_info->{'timeout'} || '
360
0';
my $cookie = CGI::Cookie->new('-name' => 'session',
'-value' => $session_id,
my $cookie = CGI::Cookie->new('-name' => 'session',
'-value' => $session_id,
- '-expires' => '+'.$timeout,
+ '-expires' => '+'.$timeout
.'s'
,
#'-secure' => 1, # would be a good idea...
);
if ( $name eq 'logout' ) {
#'-secure' => 1, # would be a good idea...
);
if ( $name eq 'logout' ) {