Fix https Ecommerce on Standard Sites
If people are on https when they purchase an item from a store then they see an 'Access Denied' message when they are redirected back to the site after paying through Cybersource.
Their payment goes through but they do not receive any emails that confirm this.
Comments:
- Currently this is high priority but we are waiting for a response from Acquia to see if they have any ideas on why this is happening. We tested musicstore.asc and verified that the module works when it is on our server. (Eva Dale - Jan 10, 2017)
- Look at this (future) for logging to external resource so as to not use up space on server environments: https://www.drupal.org/docs/8/core/modules/syslog/overview (Sean Quigley - Jan 17, 2017)
- Per Acquia ticket suggestions, have configured syslog_facility for aaas.osu.edu to 128 in order to log debugging messages. (Sean Quigley - Jan 17, 2017)
- SSH'd into PROD and viewed /etc/rsyslog.conf. There is no line like local0.* /var/log/drupal.log setting sylog_facility... (Sean Quigley - Jan 17, 2017)
- aaas still not logging on prod. Running '$ drush @sites vget syslog_facility' to see what value this var is set to... (Sean Quigley - Jan 17, 2017)
- Results of vget: (Sean Quigley - Jan 17, 2017)
- Found this code in Acquia Security Kit (seckit). Have given site admins config access to this module. Acquia module may be preventing successful postback from Cybersource checkout... (Sean Quigley - Jan 17, 2017)
- Still seeing NO log entries in watchdog for AAAS after running through product order from store and receiving 'Access Denied' error each time. Looking at above module config... (Sean Quigley - Jan 17, 2017)
- Need to find out whether this module was available on Aegir version of site. Would not immediately think so considering these were not Acquia/Cloud servers... (Sean Quigley - Jan 17, 2017)
- Verified that the Acquia Seckit module is only available on the Acquia sites. Have looked at module configuration settings. Need to see whether this can be temporarily disabled for testing on PROD, but it is required by the Acquia Connector module. In the module configuration, look at CROSS-SITE REQUEST FORGERY section. It could be that while the module checks the origin http request header on postback, it throws some exception (403) that calls whatever function generates the 'Access Denied' page. (Sean Quigley - Jan 17, 2017)
- Replied to Ally Gunthier at Acquia (ticket 341594). Informed her that logging is now turned on for aaas.osu.edu and asked her about the possibility that the Acquia Security Kit module is interfering with post-backs. (Sean Quigley - Jan 18, 2017)
- Also look at 'securepages' module. This is another that was NOT on Aegir but is on Acquia. Secure Pages module allows you to let some pages use http and force others to use https. Also, check settings.php file(s) to see whether there are any HSTS handling directives here (probably not, but...). (Sean Quigley - Jan 18, 2017)
- Check whether $conf['https'] = TRUE; exists in settings.php. Also, SSL may be causing problem. (Sean Quigley - Jan 18, 2017)
- https://www.drupal.org/node/1286942 https://www.drupal.org/node/952820 (Sean Quigley - Jan 18, 2017)
- This patch removes function that sends 403 response. It is about a year old. Checking module to see if we have before or after version... (Sean Quigley - Jan 18, 2017)
- drupal-watchdog.log has the following from latest order attempt (logged in, on https):
Jan 18 16:17:49 web-16953 standarddrupal7: https://aaas.osu.edu|1484756269|seckit|140.254.11.133|https://aaas.osu.edu/cybersource_sawm/reply|https://testsecureacceptance.cybersource.com/review|106||Possible CSRF attack was blocked. IP address: 140.254.11.133, Origin: https://testsecureacceptance.cybersource.com. request_id="ed2b6bcb-d2df-41b8-b3a8-729ae9ab27f4" (Sean Quigley - Jan 18, 2017)
- Disabled ASC Acquia on aaas.osu.edu module which enables all other Acquia modules on a site. Testing whether any effect is made on store... (Sean Quigley - Jan 18, 2017)
- Disabled Security Kit module after ASC Acquia. Cleared drupal cache, drush cache, varnish and rebuilt registry. (Sean Quigley - Jan 18, 2017)
- Test of store on aaas.osu.edu/store was successful after disabling Acquia Security Kit module. (Sean Quigley - Jan 18, 2017)
- Need to do on Music - real test, not logged in (https). (Sean Quigley - Jan 18, 2017)
- Tested successfully on aaas.osu.edu/store while purchasing test product as anonymous user. (Sean Quigley - Jan 18, 2017)
- Tested successfully on music.osu.edu after going through steps above. (Sean Quigley - Jan 18, 2017)
- Need to look at whether it is "safe" to have sites with a store running without this module. Perhaps create a patch to comment out drupal_access_denied() function or ignore on stores. (Sean Quigley - Jan 18, 2017)
- Copied URLs from ecommerce AirTable list, pasted into Excel, used find/replace and CONCATENATE function to create the following to process only the ecommerce sites (i.e. disable two modules) via Drush. Just copy/paste this entire code into terminal while SSH'd into PROD. (Sean Quigley - Jan 18, 2017)
- Updated and resolved Acquia ticket # 341594. (Sean Quigley - Jan 19, 2017)