Last Comment Bug 836407 - Remove Bango cookie when new user logs into pay flow
: Remove Bango cookie when new user logs into pay flow
Status: RESOLVED FIXED
p=
:
Product: Marketplace
Classification: Server Software
Component: Payments/Refunds (show other bugs)
: 1.1
: x86 Mac OS X
: P1 normal (vote)
: 2013-02-14
Assigned To: Kumar McMillan [:kumar] (needinfo all the things)
:
:
Mentors:
Depends on:
Blocks: marketplace-payments 835620
  Show dependency treegraph
 
Reported: 2013-01-30 11:07 PST by Kumar McMillan [:kumar] (needinfo all the things)
Modified: 2013-02-15 11:17 PST (History)
5 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Kumar McMillan [:kumar] (needinfo all the things) 2013-01-30 11:07:51 PST
Since the Bango cookie is tied to device and a cookie allows repeat purchases, one simple security fix we can do is tell Bango "a new user has logged in" so that they can disregard and delete their cookie. This is important for the case of resetting a PIN which requires users to re-authenticate (bug 822491).
Comment 1 Kumar McMillan [:kumar] (needinfo all the things) 2013-01-30 11:09:20 PST
What is the best way to do this? Maybe we can use a new billing config API option?
Comment 2 Keir Kettle 2013-01-31 06:47:39 PST
The other reason I can think why this might not be a good idea is if somehow the users can back button to a pre existing billing config id after logging out?

We could expose a url like http://mozbango/mozpayments/logout which you could make a GET to in the cb of your log out?
Comment 3 Kumar McMillan [:kumar] (needinfo all the things) 2013-01-31 08:26:26 PST
Yeah, the logout URL would cover this situation better. Let's do that. Thanks.
Comment 4 Keir Kettle 2013-02-04 10:16:27 PST
(In reply to Kumar McMillan [:kumar] from comment #3)
> Yeah, the logout URL would cover this situation better. Let's do that.
> Thanks.

Now available at http://mozilla.test.bango.org/mozpayments/logout/
Comment 5 Kumar McMillan [:kumar] (needinfo all the things) 2013-02-05 11:28:25 PST
Awesome, thanks! I assume that a 200 http response we get from this means it worked?

I will integrate this into the various webpay logout flows.
Comment 6 Kumar McMillan [:kumar] (needinfo all the things) 2013-02-14 11:28:09 PST
Here is a logout for the reset PIN flow https://github.com/mozilla/webpay/commit/b0e6085f676d601a1122a3ee2b4516d9b7007672
Comment 7 Kumar McMillan [:kumar] (needinfo all the things) 2013-02-15 11:17:41 PST
Fixed https://github.com/mozilla/webpay/commit/f54be58ff575f27414027d064383634fbaeac9b5

Note You need to log in before you can comment on or make changes to this bug.