Restrict access to thank you page

  • Resolved Terry J

    (@texasbiz)


    8 months, 3 weeks ago

    Greetings friends.

    After the wponce (Nonce) expires, users can still access the page like:

    https://example.com/thank-you-transaction-result/?order_id=78&_wpnonce=cad3bf9999

    Not that it is bad or breaks anything, it is just unsightly and looks unprofessional / sloppy. The user sees messages like “Error! Nonce value is missing in the URL or Nonce verification failed.” and “do not access this page directly”.

    The ideal situation would be modification to the plugin to prevent this behavior, but I understand you guys are very busy.

    I have searched plugin code trying to find some type of filter / hook / function so I could handle in themes function, but unsuccessful. In a Woo environment, I would use something like:

    add_action('template_redirect', 'custom_nonce_check');
function custom_nonce_check() {
    $notices = wc_get_notices();
    foreach ($notices['error'] as $notice) {
        if ($notice === "Error! Nonce value is missing in the URL or Nonce verification failed.") {
            wp_redirect("https://discountplr.com/link-expired/");
            exit();
        }
    }
}

    Could you please ask the dev if there is something like wc_get_notices() in WP Express Checkout?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Thank you for reaching out to us. I have submitted a message to the developers to investigate further your request.

    Kind regards.

    Plugin Author mra13

    (@mra13)

    Thank you. We will work on making an improvement for this.

    Thread Starter Terry J

    (@texasbiz)

    Thank you both. In the meantime, we are using php / js combo to forward users to another page if nonce expired or url missing id / wpnonce

    Plugin Author mra13

    (@mra13)

    We have added an action hook in the new version that should be useful for you. The following page has an example of how you can use it to redirect users going directly to the thank you page:

    https://wp-express-checkout.com/wp-express-checkout-plugin-action-hooks-reference/#beforewpecthankyoupageshortcodeexecution

    Thread Starter Terry J

    (@texasbiz)

    “We have added an action hook in the new version that should be useful for you.”

    Wonderful and very useful addition. I have no doubt others will find this useful. Thank you much!

    “Fixed an issue with item names having special characters.” also fixed an issue I was hunting down ??

    Thread Starter Terry J

    (@texasbiz)

    I have a question, please:

    Is the hook only fired when the order is processed, or is it fired every time visitor hits the thank you page?

    Having a hard time making it fire and before banging my head on desk more, wanted to ask:)

    Thread Starter Terry J

    (@texasbiz)

    Got it figured out. I now see that the default shortcode [ wpec_thank_you ] must be on page. The site in question has a highly modified thank you page with individual shortcodes.

    Thread Starter Terry J

    (@texasbiz)

    Unfortunately, the hook “kinda’ works”. If user bookmarks or returns to the page with orderid and wpnonce in URL, user is still shown the error messages and not forwarded.

    Can’t seem to find where wp_create_nonce() is generated within the plugin itself or something like below might work:

    if (
    (!isset($_GET['order_id']) && !isset($_GET['_wpnonce']))
    || (isset($_GET['order_id']) && isset($_GET['_wpnonce']) && !wp_verify_nonce($_GET['_wpnonce'], 'action-name')) // replace 'action-name' with action associated to your nonce
    && !is_admin()
    )

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Restrict access to thank you page’ is closed to new replies.

Tags