Remove Bango cookie when new user logs into pay flow

RESOLVED FIXED in 2013-02-14

Status

Marketplace
Payments/Refunds
P1
normal
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: kumar, Assigned: kumar)

Tracking

2013-02-14
x86
Mac OS X
Points:
---
Dependency tree / graph

Details

(Whiteboard: p=)

Since the Bango cookie is tied to device and a cookie allows repeat purchases, one simple security fix we can do is tell Bango "a new user has logged in" so that they can disregard and delete their cookie. This is important for the case of resetting a PIN which requires users to re-authenticate (bug 822491).
What is the best way to do this? Maybe we can use a new billing config API option?
Assignee: nobody → sruston
Blocks: 775802
Priority: -- → P1

Updated

4 years ago
Assignee: sruston → keir

Comment 2

4 years ago
The other reason I can think why this might not be a good idea is if somehow the users can back button to a pre existing billing config id after logging out?

We could expose a url like http://mozbango/mozpayments/logout which you could make a GET to in the cb of your log out?
Yeah, the logout URL would cover this situation better. Let's do that. Thanks.
Blocks: 835620
Version: 1.0 → 1.1
Whiteboard: p=

Comment 4

4 years ago
(In reply to Kumar McMillan [:kumar] from comment #3)
> Yeah, the logout URL would cover this situation better. Let's do that.
> Thanks.

Now available at http://mozilla.test.bango.org/mozpayments/logout/
Awesome, thanks! I assume that a 200 http response we get from this means it worked?

I will integrate this into the various webpay logout flows.
Assignee: keir → kumar.mcmillan
Target Milestone: --- → 2013-02-14
Here is a logout for the reset PIN flow https://github.com/mozilla/webpay/commit/b0e6085f676d601a1122a3ee2b4516d9b7007672
Fixed https://github.com/mozilla/webpay/commit/f54be58ff575f27414027d064383634fbaeac9b5
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.