double process / back button protection for self-service payments, RT#29168

[freeside.git] / fs_selfservice / FS-SelfService / cgi / selfservice.cgi

diff --git a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
index 84998bb..2b4bb43 100755 (executable)
--- a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
+++ b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
@@ -101,8 +101,6 @@ if ( $cgi->param('action') =~ /^(\w+)$/ ) {
   }
 }
 
-warn $action;
-
 unless ( $nologin_actions{$action} ) {
 
   my %cookies = CGI::Cookie->fetch;
@@ -183,9 +181,6 @@ unless ( $nologin_actions{$action} ) {
   } # else there is no session cookie
 
   if ( !$session_id ) {
-    # XXX why are we getting agentnum from a CGI param? surely it should 
-    # be some kind of configuration option.
-    #
     # show the login page
     $session_id = 'login'; # set state
     my $login_info = login_info( 'agentnum' => scalar($cgi->param('agentnum')) );
@@ -210,7 +205,7 @@ if ( $result->{error} && ( $result->{error} eq "Can't resume session"
   || $result->{error} eq "Expired session") ) { #ick
 
   $session_id = 'login';
-  my $login_info = login_info();
+  my $login_info = login_info( 'agentnum' => scalar($cgi->param('agentnum')) );
   do_template('login', $login_info);
   exit;
 }
@@ -632,7 +627,10 @@ sub payment_results {
   my $auto = 0;
   $auto = 1 if $cgi->param('auto');
 
-  $cgi->param('paybatch') =~ /^([\w\-\.]+)$/ or die "illegal paybatch";
+  $cgi->param('payunique') =~ /^([\w\-\.]*)$/ or die "illegal payunique";
+  my $payunique = $1;
+
+  $cgi->param('paybatch') =~ /^([\w\-\.]*)$/ or die "illegal paybatch";
   my $paybatch = $1;
 
   $cgi->param('discount_term') =~ /^(\d*)$/ or die "illegal discount_term";
@@ -656,6 +654,7 @@ sub payment_results {
     'country'    => $country,
     'save'       => $save,
     'auto'       => $auto,
+    'payunique'  => $payunique,
     'paybatch'   => $paybatch,
     'discount_term' => $discount_term,
   );
@@ -1061,7 +1060,7 @@ sub do_template {
   $fill_in->{$_} = $access_info->{$_} foreach keys %$access_info;
 
   # update the user's authentication
-  my $timeout = $access_info->{'timeout'} || '60';
+  my $timeout = $access_info->{'timeout'} || '3600';
   my $cookie = CGI::Cookie->new('-name'     => 'session',
                                 '-value'    => $session_id,
                                 '-expires'  => '+'.$timeout.'s',