Closed Bug 836407 Opened 11 years ago Closed 11 years ago

Remove Bango cookie when new user logs into pay flow

Categories

(Marketplace Graveyard :: Payments/Refunds, defect, P1)

Product:
Marketplace Graveyard
Component:
Payments/Refunds
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
2013-02-14

People

(Reporter: kumar, Assigned: kumar)

References

Details

(Whiteboard: p=) 

Since the Bango cookie is tied to device and a cookie allows repeat purchases, one simple security fix we can do is tell Bango "a new user has logged in" so that they can disregard and delete their cookie. This is important for the case of resetting a PIN which requires users to re-authenticate (bug 822491).
What is the best way to do this? Maybe we can use a new billing config API option?
Assignee: nobody → sruston
Blocks: marketplace-payments
Priority: -- → P1
Assignee: sruston → keir
The other reason I can think why this might not be a good idea is if somehow the users can back button to a pre existing billing config id after logging out?

We could expose a url like http://mozbango/mozpayments/logout which you could make a GET to in the cb of your log out?
Yeah, the logout URL would cover this situation better. Let's do that. Thanks.
Version: 1.0 → 1.1
Whiteboard: p=
(In reply to Kumar McMillan [:kumar] from comment #3)
> Yeah, the logout URL would cover this situation better. Let's do that.
> Thanks.

Now available at http://mozilla.test.bango.org/mozpayments/logout/
Awesome, thanks! I assume that a 200 http response we get from this means it worked?

I will integrate this into the various webpay logout flows.
Assignee: keir → kumar.mcmillan
Target Milestone: --- → 2013-02-14
Fixed https://github.com/mozilla/webpay/commit/f54be58ff575f27414027d064383634fbaeac9b5
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.