Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 03-16-2017 18:26:00

larry
Member
Registered: 07-21-2003
Posts: 437

Authorize.net SIM error after successful credit card authorization

We get this error displayed on a white screen (with the authorize.net URL) when authorize.net SIM is trying to send the response back to the shopping cart:

"An error occurred while trying to report this transaction to the merchant. An e-mail has been sent to the merchant informing them of the error. The following is the result of the attempt to charge your credit card.

      This transaction has been approved.
It is advisable for you to contact the merchant to verify that you will receive the product or service."

I've confirmed that the URL sent with the transaction is https://[ourdomain]/utilities/ecomrelaymeta.php

So I changed the permissions on the utility directory to 755 and the ecomrelaymeta.php to 755.

Now I get the shopping cart error message  on our site:

"Checkout
The following error occurred while attempting to process your transaction: The URL that referred you to this page is invalid. It is not listed as a valid referring URL for the online processor selected."

We never specified a relay URL before in authorize.net so it would use the one sent to the form.

We have not changed anything on authorize.net. after upgrading to V9 from V8

So what is the valid relay response URL supposed to be?


Laurie Stephens




Offline

 

#2 03-16-2017 20:37:16

larry
Member
Registered: 07-21-2003
Posts: 437

Re: Authorize.net SIM error after successful credit card authorization

After reading about the field x_relay_url in the authorize.net SIM documentation, we chose to comment out this field in the olp form in V9, then set the correct URL in authorize.net -> settings -> Relay Response.   It works.

I have NO idea why it doesn't work when the olp script builds the field, but it does not.   we even tried hard coding the url in the form with a direct copy/paste, and it still gets rejected as a no match.


Laurie Stephens




Offline

 

#3 03-17-2017 06:56:50

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: Authorize.net SIM error after successful credit card authorization

Thanks for the update.  I saw your ticket on this too.  This must  be a setting/config issue on the Authoirze.net side as there's really not much difference at all between V8 and K9 as far as how this form is set up and processed.


Nick Hendler

Offline

 

#4 03-17-2017 07:18:57

larry
Member
Registered: 07-21-2003
Posts: 437

Re: Authorize.net SIM error after successful credit card authorization

webmaster wrote:

This must  be a setting/config issue on the Authoirze.net side

I would tend to agree, but the only thing that changed in V9 for SIM was pasting in a new transaction key.

I believe our server has a configuration that won't allow a script or directory with scripts in the public directory  to carry 777 permissions.(which makes sense)   and the utilities directory was set that way after uploading it from our local dev site.     the initial error was because of that issue, and the relay request timed out resulting in a white screen, but threw the "url no match" error anyway.


Hope the next person who uses sim might benefit from the discussion.  I didn't even know that authorize.net HAD a place in settings to specify the url.  Maybe it was always there, but never enforced, until now.   

I'm curious, if I turn debug on, would the POST transaction contents be available to see?  I still think there's something wrong with the URL field.


Laurie Stephens




Offline

 

#5 03-18-2017 20:35:14

larry
Member
Registered: 07-21-2003
Posts: 437

Re: Authorize.net SIM error after successful credit card authorization

After exactly ONE successful order confirmation,  we're back to the same old error response from authorize.net:

"The following error occurred while attempting to process your transaction: The URL that referred you to this page is invalid. It is not listed as a valid referring URL for the online processor selected."

I think that is authorize.net's message, not V9?   so "this page" is authorize.net's page?  not the response page in V9?

I found out it wasn't working because a customer was having problems getting an order to complete.

I have looked high and low on authorize.net settings page and I see absolutely NO reference to a "referring URL". only "Response/Receipt URLs".   I assume by "referring URL" they mean "https://mydomain/CheckoutIntro"  which is what appears in the URL field right before the authorize.net SIM page is displayed.

Does anyone familiar with authorize.net know where the setting is for the "valid referring url"?

and what is the URL that appears in CCP version 8 right before the authnet SIM page is displayed?
(I didn't think they were different).


Laurie Stephens




Offline

 

#6 03-18-2017 23:29:59

larry
Member
Registered: 07-21-2003
Posts: 437

Re: Authorize.net SIM error after successful credit card authorization

More information, after digging, it appears that the message displayed by ecomrelay.php IS a V9 message based on the referrer string returned by authorize.net.   I found the code in ECOM_OLP.php.    Oddly, I did not see any debug messages that displayed the $message details, so I just put an echo statement in the code to see it on the screen.

Here it is: 

Checkout
the message is The procgwresp() method was access by an invalid URL. The referring URL is 'https://secure.authorize.net/gateway/transact.dll'. The string 'ecomrelaymeta.php was not found in the URL.


The following error occurred while attempting to process your transaction: The URL that referred you to this page is invalid. It is not listed as a valid referring URL for the online processor selected.
-------
So now we know why ecomrelay.php is throwing an error - even though it is NOT an error.   Perhaps authorize.net or the server we are on changed something so that the HTTP_REFERER is not what we expect ( mydomain/ecomrelaymeta.php)

I hacked ECOM_OLP.php temporarily, but need a good fix for this.  Here's the code:

Code:

// +--
// | SECURITY CHECK:
// | 
// | Check to be sure our referring URL string is contained in the
// | referring URL environment info.
// +--
$authnet = 'https://secure.authorize.net/gateway/transact.dll';
$referer = '';

if (!(empty($_SERVER['HTTP_REFERER']))) {$referer = $_SERVER['HTTP_REFERER'];}
// 031817 added temporarily until fixed referrer problem
if ($referer == $authnet) {
    if ($this->debug) {$this->debugger("procgwresp: Referer information is authorize.net.  Bypassing check.");}

} else if ((!(empty($referer))) && (!(empty($gateway['refurlstr']))) && ($gateway['refurlstr'] != 'NotApplicable')) {

     $quoted = preg_quote($gateway['refurlstr'],'/');

     if (!(preg_match('/' . $quoted . '/',$referer))) {

          $message = "The procgwresp() method was access by an invalid URL.  The referring URL 
                      is '{$referer}'.  The string '{$gateway['refurlstr']} was not found in the 
                      URL.";
// echo 'the message is ' . $message;
          $this->RaiseError($message);

          if ($this->debug) {$this->debugger("procgwresp: {$message}");}

          $this->globals('ecom.relay_failmsg','BADREFERER');

          $this->CORE_Display->include_file('ecom','olprelayfail.php');

          return 1;

     } // End of if statement.

} else {

     if ($this->debug) {$this->debugger("procgwresp: Referer information not available.  Bypassing check.");}

} // End of if statement.

Laurie Stephens




Offline

 

#7 03-20-2017 07:57:49

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: Authorize.net SIM error after successful credit card authorization

The proper fix is to enter 'http' in the referrer string in the gateway setup and call it a day.


Nick Hendler

Offline

 

#8 03-24-2017 18:56:05

larry
Member
Registered: 07-21-2003
Posts: 437

Re: Authorize.net SIM error after successful credit card authorization

If we did that, wouldn't it accept any request regardless of source? Sounds like that would negate the security check altogether.   

We're leaving in the hard coding for now.  And will re-apply if needed when upgrades occur.   

As a side note,   it appears that the entire string returned by authorize.net is appearing in the url when the order confirmation is displayed.  i.e.    https://[mydomain]/ecomrelay.php?...the parameters passed by authorize.net here....

I don't recall seeing that in Version 8.  I thought it "redirected" or at least changed the URL to https://[mydomain]/ordersummary.php    and "hid" all the garbage hanging off the URL.     Is there any way to do that in V9?      I don't think there's any security issue, but it would be much cleaner when presented to the customer that way.


Laurie Stephens




Offline

 

#9 03-27-2017 07:19:03

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: Authorize.net SIM error after successful credit card authorization

If we did that, wouldn't it accept any request regardless of source? Sounds like that would negate the security check altogether.

If you knew how easy it is for a hacker to spoof a referrer, you wouldn't really care whether this check worked or not.  You'd likely switch to an API-based processing method.

I don't recall seeing that in Version 8.

V8 targeted ecomrelay.php directly, not ecomrelaymeta.php.  We switched to the meta script after reports that the standard relay script began having issues with some Authnet changes last year.  If your processing actually works with targeting ecomrelay.php, use it.


Nick Hendler

Offline

 

#10 03-27-2017 09:45:54

larry
Member
Registered: 07-21-2003
Posts: 437

Re: Authorize.net SIM error after successful credit card authorization

If you knew how easy it is for a hacker to spoof a referrer, you wouldn't really care whether this check worked or not.  You'd likely switch to an API-based processing method.

We used to use an API method until the PCI compliance "rules" got too onerous. I'd rather keep credit card process off our site than chase "compliance" issues constantly.😉


Laurie Stephens




Offline

 

#11 03-27-2017 11:04:05

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: Authorize.net SIM error after successful credit card authorization

We used to use an API method until the PCI compliance "rules" got too onerous. I'd rather keep credit card process off our site than chase "compliance" issues constantly.

Understood.  It's a bit of a catch-22.  To achieve the easiest route to compliance you have to use a gateway that relies on relaying the browser across the Internet several times.


Nick Hendler

Offline

 

#12 03-27-2017 18:35:33

larry
Member
Registered: 07-21-2003
Posts: 437

Re: Authorize.net SIM error after successful credit card authorization

Yup.  That is how bureaucracies are built. lol


Laurie Stephens




Offline

 

#13 10-24-2018 18:11:40

larry
Member
Registered: 07-21-2003
Posts: 437

Re: Authorize.net SIM error after successful credit card authorization

webmaster wrote:

The proper fix is to enter 'http' in the referrer string in the gateway setup and call it a day.

After upgrading to V9.0.2  we started having this same problem.  I reapplied our "fix" to ECOM_OLP.php but it didn't seem to solve the problem entirely.  It seems every other order that has a successful authorization fails to send back a valid URL, and hence fails to send an order confirmation or mark the order as successful. 

Would entering 'http' still work?  or would it be 'https' now?  or something different.


Laurie Stephens




Offline

 

#14 10-25-2018 06:55:00

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: Authorize.net SIM error after successful credit card authorization

'https' would be better, assuming you're using an SSL URL for K9.  You've bypassed that check, though, so I don't see how it would matter.


Nick Hendler

Offline

 

Board footer