Problem with payment and Admin error

  • strictly-software

    (@strictly-software)


    8 years, 10 months ago

    Hi

    Yesterday I had a member try and sign up for a yearly subscription on my site however he was met with the following error (as he told me in an email)

    Error: Unable to modify Subscription
    Please contact Support for assistance

    The existing User Id is associated with an Administrator. Stopping here. Othewise an Administrator could lose access.
    Please make sure that you are NOT logged in as an Administrator while testing

    The button code is the following

    [s2Member-PayPal-Button level=”4″ ccaps=”” desc=”Yearly Service / £99.99 per year” ps=”MySiteName” lc=”” cc=”GBP” dg=”0″ ns=”1″ custom=”www.mydomain.com” ta=”0″ tp=”0″ tt=”D” ra=”99.99″ rp=”1″ rt=”Y” rr=”1″ rrt=”” rra=”0″ image=”http://www.mydomain.com/images/buy-now.png” output=”button” /]

    I checked the PayPal API log and I have the following messages related to this member.

    One thing I have noticed is that the IP address is being logged is MY IP address (e.g my work PC – not my home PC or Server IP but my works gateway server), I find this very strange and don’t know how this could happen unless you have some sort of shared memory/caching going on that has confused things.

    I do run WP-Super-Cache and also I am behind Cloudflare. However this has not prevented OTHER customers from signing up, or recurring payments from other customers.

    I do have the Cloudflare.mod module installed which replaces the original users IP address in my Apache log file the CloudFlare WordPress plugin that does the same to help certain WordPress plugins such as Akismet by replacing the CloudFlare reverse proxy IP that traffic comes through on with the original users IP as it is passed along in X-Forwarded-For and CF-CONNECTING-IP headers.

    However I have had NO problems before accepting payments with either WP Super Cache OR CloudFlare enabled so I am not sure why this has happened.

    I have provided you with the output of the gateway-core-ipn.log log file that relates to first a customer whose recurring payment for this month went through without a problem a few days before so you can see it has worked and then this problematic customers references.

    Nothing on the server has changed in between these two dates.

    All identifying information has been replaced with XXXX.

    However as I said before the one thing I noticed was that this customers IP was the same as my work IP address.

    This is an example of someone’s recurring payment that went through correctly without any problems…

    LOG ENTRY: Sat Jun 20th, 2015 @ precisely 5:46 am UTC
    PHP v5.2.6-1+lenny16 :: WordPress v4.2.2 :: s2Member v150311
    Memory 61.42 MB :: Real Memory 61.75 MB :: Peak Memory 61.45 MB :: Real Peak Memory 61.75 MB
    http://www.mydomain.com/?s2member_paypal_notify=1
    User-Agent: PayPal IPN ( https://www.paypal.com/ipn )
    array (
    ‘mc_gross’ => ‘14.99’,
    ‘invoice’ => ‘5584fd7bdd666~83.218.116.68’,
    ‘protection_eligibility’ => ‘Ineligible’,
    ‘payer_id’ => ‘WEHTY9GMBU7XG’,
    ‘payment_date’ => ’22:45:11 Jun 19, 2015 PDT’,
    ‘payment_status’ => ‘Completed’,
    ‘charset’ => ‘windows-1252’,
    ‘first_name’ => ‘XXXX’,
    ‘option_selection1’ => ‘121’,
    ‘option_selection2’ => ‘83.218.116.68’,
    ‘mc_fee’ => ‘0.78’,
    ‘notify_version’ => ‘3.8’,
    ‘subscr_id’ => ‘I-XXXXXXXXXXXX’,
    ‘custom’ => ‘www.mydomain.com’,
    ‘payer_status’ => ‘verified’,
    ‘business’ => ‘admin@mydomain.com’,
    ‘verify_sign’ => ‘AOAcaeKrixYeuawaa8ie2UKDeXsAAGcG5SLuIZ5KOd99rQRt6gclrYcg’,
    ‘payer_email’ => ‘some_other_paying_customer_who_worked@gmail.com’,
    ‘option_name1’ => ‘Referencing Customer ID’,
    ‘option_name2’ => ‘Customer IP Address’,
    ‘txn_id’ => ‘7RW206768S836533E’,
    ‘payment_type’ => ‘instant’,
    ‘last_name’ => ‘XXXX’,
    ‘receiver_email’ => ‘admin@mydomain.com’,
    ‘payment_fee’ => ”,
    ‘receiver_id’ => ‘WBQGEG6EZJZ28’,
    ‘txn_type’ => ‘subscr_payment’,
    ‘item_name’ => ‘Monthly Service / £14.99 per month’,
    ‘mc_currency’ => ‘GBP’,
    ‘item_number’ => ‘3’,
    ‘residence_country’ => ‘US’,
    ‘transaction_subject’ => ‘Monthly Service / £14.99 per month’,
    ‘payment_gross’ => ”,
    ‘ipn_track_id’ => ‘4ecfb4c6eebc2’,
    ‘s2member_log’ =>
    array (
    0 => ‘IPN received on: Sat Jun 20, 2015 5:45:46 am UTC’,
    1 => ‘s2Member POST vars verified through a POST back to PayPal.’,
    2 => ‘s2Member originating domain ($_SERVER["HTTP_HOST"]) validated.’,
    3 => ‘s2Member txn_type identified as ( subscr_payment|recurring_payment ).’,
    4 => ‘Sleeping for 15 seconds. Waiting for a possible ( subscr_signup|subscr_modify|recurring_payment_profile_created ).’,
    5 => ‘Awake. It\’s Sat Jun 20, 2015 5:46:01 am UTC. s2Member txn_type identified as ( subscr_payment|recurring_payment ).’,
    6 => ‘Updated Payment Times for this Member.’,
    ),
    ‘subscr_gateway’ => ‘paypal’,
    ‘subscr_baid’ => ‘I-XXXXXXXXXXXX’,
    ‘subscr_cid’ => ‘I-XXXXXXXXXXXX’,
    ‘ccaps’ => NULL,
    ‘level’ => ‘3’,
    ‘ip’ => ‘XX.XX.105.24’,
    ‘currency’ => ‘GBP’,
    ‘currency_symbol’ => ‘£’,
    )

    This is the entries for the person who failed with MY WORK IP ADDRESS logged as their own…..

    LOG ENTRY: Mon Jun 22nd, 2015 @ precisely 7:43 pm UTC
    PHP v5.2.6-1+lenny16 :: WordPress v4.2.2 :: s2Member v150311
    Memory 61.99 MB :: Real Memory 63.00 MB :: Peak Memory 62.63 MB :: Real Peak Memory 63.00 MB
    http://www.mydomain.com/?s2member_paypal_notify=1
    User-Agent: PayPal IPN ( https://www.paypal.com/ipn )
    array (
    ‘txn_type’ => ‘subscr_signup’,
    ‘subscr_id’ => ‘I-XXXXXXXXXXXX’,
    ‘last_name’ => ‘XXXX’,
    ‘option_selection1’ => ‘1’,
    ‘option_selection2’ => ‘MY.WORK.IP.ADDRESS’,
    ‘residence_country’ => ‘GB’,
    ‘mc_currency’ => ‘GBP’,
    ‘item_name’ => ‘Yearly Service / £99.99 per year’,
    ‘business’ => ‘admin@mydomain.com’,
    ‘recurring’ => ‘99.99’,
    ‘verify_sign’ => ‘ARHdMzuVLYbWTYeJKwRk1ytpxtIeAllQwLx7S0V7zwkPjqfj20f5hn4-‘,
    ‘payer_status’ => ‘verified’,
    ‘payer_email’ => ‘xxxx@yahoo.com’,
    ‘first_name’ => ‘xxxx’,
    ‘receiver_email’ => ‘admin@mydomain.com’,
    ‘option_name1’ => ‘Referencing Customer ID’,
    ‘payer_id’ => ’63KKZTJR37HZY’,
    ‘invoice’ => ’54d117d978f64~MY.WORK.IP.ADDRESS’,
    ‘option_name2’ => ‘Customer IP Address’,
    ‘reattempt’ => ‘1’,
    ‘item_number’ => ‘4’,
    ‘payer_business_name’ => ‘XXXX XXXX’,
    ‘subscr_date’ => ’12:43:05 Jun 22, 2015 PDT’,
    ‘custom’ => ‘www.mydomain.com’,
    ‘charset’ => ‘windows-1252’,
    ‘notify_version’ => ‘3.8’,
    ‘period3’ => ‘1 Y’,
    ‘mc_amount3’ => ‘99.99’,
    ‘ipn_track_id’ => ‘d404f893bd435’,
    ‘s2member_log’ =>
    array (
    0 => ‘IPN received on: Mon Jun 22, 2015 7:43:40 pm UTC’,
    1 => ‘s2Member POST vars verified through a POST back to PayPal.’,
    2 => ‘s2Member originating domain ($_SERVER["HTTP_HOST"]) validated.’,
    3 => ‘s2Member txn_type identified as ( web_accept|subscr_signup ).’,
    4 => ‘s2Member txn_type identified as ( web_accept|subscr_signup ) w/ update vars.’,
    5 => ‘Unable to modify Subscription. The existing User ID is associated with an Administrator. Stopping here. Otherwise, an Administrator could lose access.’,
    ),
    ‘subscr_gateway’ => ‘paypal’,
    ‘subscr_baid’ => ‘I-XXXXXXXXXXXX’,
    ‘subscr_cid’ => ‘I-XXXXXXXXXXXX’,
    ‘eotper’ => NULL,
    ‘ccaps’ => NULL,
    ‘level’ => ‘4’,
    ‘ip’ => ‘MY.WORK.IP.ADDRESS’,
    ‘period1’ => ‘0 D’,
    ‘mc_amount1’ => ‘0.00’,
    ‘initial_term’ => ‘0 D’,
    ‘initial’ => ‘99.99’,
    ‘regular’ => ‘99.99’,
    ‘regular_term’ => ‘1 Y’,
    ‘currency’ => ‘GBP’,
    ‘currency_symbol’ => ‘£’,
    )

    LOG ENTRY: Mon Jun 22nd, 2015 @ precisely 7:43 pm UTC
    PHP v5.2.6-1+lenny16 :: WordPress v4.2.2 :: s2Member v150311
    Memory 62.48 MB :: Real Memory 63.75 MB :: Peak Memory 62.73 MB :: Real Peak Memory 63.75 MB
    http://www.mydomain.com/?s2member_paypal_notify=1
    User-Agent: PayPal IPN ( https://www.paypal.com/ipn )
    array (
    ‘mc_gross’ => ‘99.99’,
    ‘invoice’ => ’54d117d978f64~MY.WORK.IP.ADDRESS’,
    ‘protection_eligibility’ => ‘Ineligible’,
    ‘payer_id’ => ’63KKZTJR37HZY’,
    ‘payment_date’ => ’12:43:07 Jun 22, 2015 PDT’,
    ‘payment_status’ => ‘Completed’,
    ‘charset’ => ‘windows-1252’,
    ‘first_name’ => ‘xxxx’,
    ‘option_selection1’ => ‘1’,
    ‘option_selection2’ => ‘MY.WORK.IP.ADDRESS’,
    ‘mc_fee’ => ‘3.60’,
    ‘notify_version’ => ‘3.8’,
    ‘subscr_id’ => ‘I-XXXXXXXXXXXX’,
    ‘custom’ => ‘www.mydomain.com’,
    ‘payer_status’ => ‘verified’,
    ‘business’ => ‘admin@mydomain.com’,
    ‘verify_sign’ => ‘AgeQwfdW9musYPRVT4zufJ4cF81iA0VfrSb5NNuROWINWBZwrFPrpBGX’,
    ‘payer_email’ => ‘xxxx@yahoo.com’,
    ‘option_name1’ => ‘Referencing Customer ID’,
    ‘option_name2’ => ‘Customer IP Address’,
    ‘txn_id’ => ‘5DA94764UN7913228’,
    ‘payment_type’ => ‘instant’,
    ‘payer_business_name’ => ‘xxxx XXXX’,
    ‘last_name’ => ‘XXXX’,
    ‘receiver_email’ => ‘admin@mydomain.com’,
    ‘payment_fee’ => ”,
    ‘receiver_id’ => ‘WBQGEG6EZJZ28’,
    ‘txn_type’ => ‘subscr_payment’,
    ‘item_name’ => ‘Yearly Service / £99.99 per year’,
    ‘mc_currency’ => ‘GBP’,
    ‘item_number’ => ‘4’,
    ‘residence_country’ => ‘GB’,
    ‘transaction_subject’ => ‘Yearly Service / £99.99 per year’,
    ‘payment_gross’ => ”,
    ‘ipn_track_id’ => ‘d404f893bd435’,
    ‘s2member_log’ =>
    array (
    0 => ‘IPN received on: Mon Jun 22, 2015 7:43:39 pm UTC’,
    1 => ‘s2Member POST vars verified through a POST back to PayPal.’,
    2 => ‘s2Member originating domain ($_SERVER["HTTP_HOST"]) validated.’,
    3 => ‘s2Member txn_type identified as ( subscr_payment|recurring_payment ).’,
    4 => ‘Sleeping for 15 seconds. Waiting for a possible ( subscr_signup|subscr_modify|recurring_payment_profile_created ).’,
    5 => ‘Awake. It\’s Mon Jun 22, 2015 7:43:54 pm UTC. s2Member txn_type identified as ( subscr_payment|recurring_payment ).’,
    6 => ‘Skipping this IPN response, for now. The Subscr. ID is not associated with a registered Member.’,
    7 => ‘Re-generating. This IPN will go into a Transient Queue; and be re-processed during registration.’,
    ),
    ‘subscr_gateway’ => ‘paypal’,
    ‘subscr_baid’ => ‘I-XXXXXXXXXXXX’,
    ‘subscr_cid’ => ‘I-XXXXXXXXXXXX’,
    ‘ccaps’ => NULL,
    ‘level’ => ‘4’,
    ‘ip’ => ‘MY.WORK.IP.ADDRESS’,
    ‘currency’ => ‘GBP’,
    ‘currency_symbol’ => ‘£’,
    )

    LOG ENTRY: Tue Jun 23rd, 2015 @ precisely 7:42 am UTC
    PHP v5.2.6-1+lenny16 :: WordPress v4.2.2 :: s2Member v150311
    Memory 59.56 MB :: Real Memory 59.75 MB :: Peak Memory 59.62 MB :: Real Peak Memory 59.75 MB
    http://www.mydomain.com/?s2member_paypal_notify=1
    User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
    array (
    ‘s2member_log’ =>
    array (
    0 => ‘Unable to verify $_POST vars. This is most likely related to an invalid configuration of s2Member, or a problem with server compatibility.’,
    1 => ‘Please see this KB article: http://www.s2member.com/kb/server-scanner/. We suggest that you run the s2Member Server Scanner.’,
    2 => ‘array (
    \’s2member_paypal_notify\’ => \’1\’,
    )’,
    ),
    )

    I have checked with PayPal and the IPN messaging is enabled and working

    I run my own server which can access PayPal with CURL/WordPresses HTTP object/FOpen/File_get_contents/FSockOpen etc.

    Thanks for your help

    https://wordpress.org/plugins/s2member/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter strictly-software

    (@strictly-software)

    8 years, 10 months ago

    Oh, also I ran the Server Scanner tool you have at https://s2member.com/kb-article/server-scanner/ and it didn’t return any errors.

    I have everything installed correctly according to your tool.

    KTS915

    (@kts915)

    8 years, 10 months ago

    You have yourself already identified the most likely cause of this problem, and that is inappropriate caching.

    It doesn’t matter whether it has worked before, because we don’t know what is getting cached when and why. You simply need to ensure that no caching of any sort (including any caching that your host might run) occurs when someone is logged in. Otherwise you are bound to have problems.

    If you want to cache things for logged-in users, there really is only one solution, and that is to use ZenCache Pro, by the same developers at s2Member. It works a treat.

    Thread Starter strictly-software

    (@strictly-software)

    8 years, 10 months ago

    Hi

    Cheers for replying.

    This was a brand new member so he was not logged in at the time of paying also he just clicked a payment button on a page that took him to PayPal (see button code).

    He also sent me a screenshot of what PayPal showed him once he had paid and it says at the top of the receipt.

    Referencing Customer ID: 1 (which is obviously the 1st ever member to exist, which was obviously me when I first set the site up 3+ years ago for testing)
    Customer IP Address: My Work IP Address

    I get what you are saying about Caching as it could obviously be a culprit but I don’t understand how details of my IP address and Customer ID (from 2012) were passed to PayPal as I have swapped caching plugins and proxies many times in that period.

    As I don’t know what goes on behind the scenes with your code I don’t know how the Customer ID value is passed along to PayPal so I cannot comment on how the code works but I know how HTTP works and surely clicking one of your payment buttons, encrypted or not, would not pass anything apart from the hidden form values containing information about the amount to be paid, how often and so on. All the customer information is set when they come back from PayPal as they have to fill out the registration form.

    As he didn’t get that far and was not logged in (I had to manually set him up today so I know he didn’t exist as I checked the system first) I don’t see how my IP/First Ever Customer ID could be passed along to PayPal unless when the buttons are generated some other information is encrypted inside them?

    Also I have ways of preventing a page being cached e.g adding a querysting to the page would prevent a cache both in WP Super Cache and Cloudflare but are you saying to just swap WP Super Cache for your plugin and carry on using CloudFlare or to stop CloudFlare as well?

    I will look at your plugin but have never heard about it before. Does it work with mobile sites and handles responsive layouts and the toggling between mobile/desktop views?

    So apart from info about your caching plugin I would be interested to know how a non logged in user just clicking a payment button could get my IP and an original 2012 Customer ID from just a form submission and hidden form values as I take it no Database information, Cookies or Session data is transfered when you click a button is it?

    Thanks for your help.

    Rob

    KTS915

    (@kts915)

    8 years, 10 months ago

    First, neither s2Member nor ZenCache Pro are my plugins. I’m just a contented user of both. And, yes, ZenCache Pro handles all that. (There is a free version here, but it doesn’t offer caching for logged-in users. Nor does it offer HTML compression (minification), which will really make your site speedy.)

    Second, I don’t use CloudFlare so I can’t offer advice on that. I can say that, with just ZenCache Pro, my sites get either an A or an A+ speed rating from Sucuri, so I don’t feel the need to investigate CloudFlare.

    Third, PayPal gets whatever values are sent to it from your site. It doesn’t matter when a user was created. If the culprit here is indeed caching, your site may have cached your details and sent them to PayPal. (Did you, perhaps, recently test the payment mechanism?)

    Fourth, if the user wasn’t logged in, then caching is even more likely to be the culprit because, unless you have specifically excluded the registration page from being cached, it almost certainly would be. (Sometimes, plugins can detect logged-in activity and not cache it, but this won’t happen with logged-out activity unless the caching plugin is expressly instructed not to cache that page or post.)

    Are you saying that you actually did exclude the relevant page from caching, or just that you could?

    Thread Starter strictly-software

    (@strictly-software)

    8 years, 10 months ago

    Hi

    I am saying that I could exclude the pages from caching by just adding a querystring to any link going to them as I have excluded any page with a querystring from being cached by either WP Super Cache or CloudFlare.

    I haven’t tested the payment system myself for years as I haven’t had any issues with it for a long time so had no need to ask for support recently or test it myself.

    I understand that a non logged in user is more likely to get a cached page by whatever means, WP Super Cache, Cloudflare or just the browser but what I don’t get is how an HTTP POST method submitting the FORM linked to a BUTTON on the page could submit MY IP address when someone ELSE is hitting the button.

    How would my IP address get encoded into the hidden form inputs that your payment buttons use to submit the payment data to PayPal. That is what I am having a hard time understanding.

    I use your button creator object and that generates a shortcode button snippet like the one I posted in the original question and then that gets converted to HTML on output and encrypted by your plugin.

    So unless your plugin is somehow storing my IP address in these buttons when they are created or outputted which then gets cached so that another user hitting the button sends MY IP to PayPal instead of there own – when surely it would come from the Remote_Addr/X-Forwarded-For HTTP header. I don’t understand how it could happen. Nor can the web developer who purchased the product.

    Thanks for the info on the plugins by the way.

    Rob

    damoncloudflare

    (@damoncloudflare)

    8 years, 10 months ago

    “You have yourself already identified the most likely cause of this problem, and that is inappropriate caching.”

    Just a quick note that I don’t think this is a caching issue on CloudFlare’s end (we don’t cache dynamic content by default, so we wouldn’t be caching logins or anything along those lines; we also wouldn’t cache any third-party resources on the site).

    What CloudFlare caches

    Thread Starter strictly-software

    (@strictly-software)

    8 years, 10 months ago

    Hi

    I know, I cannot see how it would be Cloudflare OR WP Super Cache OR any caching system that is at fault, as IP addresses are not cached into form variables OR should not be.

    The payment form hidden inputs contain things like the purchase amount & details on the product. The button generator THAT s2 provides does NOT as far as I can see generate elements for an IP address and I don’t see why it would.

    Also when you go to PayPals payment page I am sure they are not silly enough EVEN if you did pass an IP address in the form inputs to take that as the Clients IP address anyway.

    They would obviously want the REAL IP address not some form value that had been passed to it e.g “Please believe this value as the IP address not what HTTP tells you – so to speak” – for their own reporting and so on, they would need the real IP address of the client making the HTTP request.

    So they would look at the HTTP headers and see the clients Remote_Addr / X-Forwarded-For etc.

    Also as they are no longer on MY server anymore (e.g PayPals payment page is not being cached by CloudFlare / WordPress caching) they would not even see a Cloudlfare IP Range address making the request either.

    Therefore I cannot see how caching can be the problem and I have to yet to had a proper technical explanation of how it could be.

    It’s the same as if I had just come to this webpage from a heavily cached page on ANY site. This site would be looking at the HTTP headers and getting the IP address from my computer/server/network NOT the referrers IP address.

    That is the only thing I can thing off, that somehow – for some reason PayPal has taken the referrers IP – but even then that would be my Servers IP address NOT my works computer that accesses the server.

    I cannot find any documentation or details anywhere about any caching system that would embedd the “last users” IP address into the caching system they use as that is what we are saying – that I, as the first person to ever test the payment system (which I was), somehow had my IP address embedded into the page so that a future user when clicking the button passed MY details along to PayPal.

    Apart from how this doesn’t make sense – UNLESS s2 Member are doing something I don’t understand as it can only be there plugin that would be doing this. I cannot see how the 1st payment (from a few years ago – as this member got User:1 on his PayPal payment page) would still be in any cache ANYWAY – as it is so long ago it would have been flushed many times.

    -He wasn’t logged in (new member)
    -Says he just clicked a standard button on my page – that many people have used, which I checked
    -Yet he somehow manages to supply the details of the first ever person to ever make a payment through s2 member (me – userId: 1 and with my office IP address as his own)

    A technical explanation of what s2 member embedds into their buttons when they encrypt them e.g DO they embedd IP / user details into the buttons is what I need as it can only be their code that would be doing something like this, as caching or not a non logged in user shouldn’t be passing these details along.

    It would be great if this was explained to me in a technical way as it doesn’t add up at the moment.

    Thanks

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Problem with payment and Admin error’ is closed to new replies.

Tags