#oscom23

There have been reports of the Sage Pay Server payment module not working and failing with the following error message:

Unable to redirect to Vendor's web site. The Vendor failed to provide a RedirectionURL

The problem was introduced with v2.3.0 where tep_href_link() returns HTML formated URLs and the RedirectionURL value containing & instead of & in the URL.

This has been fixed in v1.2 of the payment module and can be downloaded here:

http://addons.oscommerce.com/info/6984

osCommerce Online Merchant v2.3.2 has just been released which improves the customer password forgotten routine and generation of random strings.

Previously, when the customer requested a new password, their password was instantly updated to a random string and was e-mailed to the customer. The length of the random password was based on ENTRY_PASSWORD_MIN_LENGTH which by default is 5 characters long.

Although it is strongly recommended to use longer passwords, the real problem was that the random string generated for the new password was not random enough to use in a secure manner due to a weak seeding of the random number generator.

This has now been improved by using Phpass' get_random_bytes() method to generate cryptographically secure random strings based on /dev/urandom, openssl_random_pseudo_bytes(), and mcrypt_create_iv() where available. Phpass was introduced in osCommerce Online Merchant v2.3.0 to replace the older password hashing algorithm.

Also new to the customer password forgotten routine is that the customers password is no longer instantly updated with a random string, but a personal link is generated and e-mailed to the customer and gives them 24 hours to update their own password. Customers can ignore the e-mail if they did not request a new password themselves, and can continue to use their existing password if they have remembered it. New password requests are protected by an Action Recorder module to limit requests to once every 5 minutes (this is configurable).

Once the customer has updated their password via their personal link, they are redirected to the login page to login using their new password. There are advantages and disadvantages to automatically authenticate the customer as soon as they've updated their password or to make them login again. We chose a manual login due to technical issues:

We did not want to duplicate the core login code as it would have missed on Add-On or custom changes made to the login routine.

We did not want to have an automatic redirect page pointing to login.php with the customers e-mail address and password in plain-text within hidden fields in a form.

The advantage to a manual login is it gives the customer an opportunity to save their new credentials in their browsers password management feature.

We wanted to make updating to these improvements as easy as possible and have placed these improvements in v2.3.2 only. Additional bug fixes will soon arrive in v2.3.3, and a PHP 5.4 compatible release will arrive shortly after in v2.4.