Possible to log form submission?

Question

Here is the situation. My company has an e-commerce store, but we don't gather or process credit card information ourselves. When a user selects "Pay with credit card", they are immediately taken to the payment site, and then that site processes their credit card and sends the status back to us so that the order can be marked paid. Our site runs on ColdFusion, and it receives the data from the site as form data, processes the form variables, and creates an order for the customer, marked as paid. The credit card site only sends the information once, and there is no "handshake".

In the last month and a half we have been having an issue where occasionally we are not getting the information from the credit card processing site, although they say they have sent it. Hence orders are not being created, and products are sitting in customers' carts, even though the credit card has been charged. This problem is intermittent. We can't tie it to any server changes on our side, and the credit card site denies changes on their side.

So among the things we are trying to do is to log when the customers are actually trying to pay by credit card (so we can catch the missed ones more easily). So I want to somehow log the event when someone clicks "Pay with credit card." Issue is that form action submits the data to the credit card site. The only way I can think of to do this, is to change the form action to a page on our site, log the payment attempt, and then submit the form again to the credit card company. I know I can submit a form automatically with JavaScript, but that seems like a bad solution (what if JS is turned off?), but don't know how it would be possible to do server-side.

Please try to avoid solutions that involve AJAX if possible, as I know very little about it (I am a very rookie web developer in general, and just inherited this whole set-up).

Better solutions for how to log this event, or suggestions in general for this mess, will be greatly appreciated!

Responses to comments:

To Sam Dufel: Would love to change to another provider like Paypal. Unfortunately my company is actually part of a university and we all have to use the same payment gateway.

To flup: Would using a 301 or 302 status code preserve the form data? I tried looking this up, and it looks like it works with "get", but I need it to be sent with "post", since that is what the payment gateway is expecting.

To imthepitts: We receive it as form data.

To Revent: The issue is that orders aren't getting created at all (so customer and order information is just sitting in the temporary basket/customer/order tables). It seems like the page that is supposed to process the form data from the payment gateway isn't being accessed. I have added some logging to that page, but my company is so freaked out that they have disabled credit card payments and so I am not getting any data. If I can convince them that I have implemented a good logging solution to identify bugged orders quickly, they will turn it back on.

To Laksma: We are using a unique identifier that is sent back. What I meant by handshake is some way of the payment gateway verifying that they have made a connection with our server. Maybe I was using the word incorrectly. Thank you for the suggestion of the log on the receiving page- I have added that.

To Nenotlep: I know I said no AJAX, but I would like to hear more about your idea. Would the call to the logging page interfere with the form submission at all? I'm assuming it would be set up so that the function would trigger on the "onclick" event for the form button, and then form submission would proceed as normal? If it is easy to set up, then maybe that would be a good way of doing it.

I'm thinking of trying Sanjeev's solution, since that is similar to what I was planning to do anyway, but I actually would like to hear more about the AJAX idea if it is really that simple, mainly because it won't change the customer experience at all (unlike seeing the redirecting screen).

Additional response to steve:

I appreciate your input, and normally I love teaching myself new things, but I am just way too overwhelmed right now to even think about tackling a new technology.

I was going to suggest a simple AJAX logger, but well. It really is a very simple thing to build; at the simplest a GET request to a URL that has one parameter like "site.fi/log?msg=UserFoobarSentPostThing" and serverside just straight up force the message into your logging system. Ok, maby some primitive data filtering could be useful just in case of malicious requests but really, it is very very simple to build something like that even though it is AJAX :) — Joel Peltonen, Apr 23 '13 at 21:10
Your credit card processing site should have a log of the transactions already. If not.... I'd strongly suggest you find a better provider. — Sam Dufel, Apr 23 '13 at 21:11
You could perhaps have the "pay with credit card" button point to a URL on your own site, log when it gets hit, and then send a [HTTP 301 or 302](http://en.wikipedia.org/wiki/HTTP_302) to redirect the browser to the actual credit card site. See http://stackoverflow.com/questions/2503300/how-do-you-redirect-in-coldfusion-and-control-the-status-code-i-e-301-instead — flup, Apr 23 '13 at 21:27
"we are not getting the information from the credit card processing site, although they say they have sent it" - How does the credit card processing site "send" this information to you? — imthepitts, Apr 23 '13 at 21:31
You might be able to do something with cfhttp, but even if you succeed, you are still in a yes I did, no you didn't situation. — Dan Bracuk, Apr 23 '13 at 22:48
Store the order but mark it as 'unpaid', 'pending cc payment', whatever instead of 'paid'. Intermittent problems sound suspicious - I would keep on the payment vendor and check their payment log in the admin. — Revent, Apr 23 '13 at 22:56
I know you said your a rookie, but a simple jquery solution would be the best way to go. Why not try to learn something to solve a problem? Link jquery to your page. Add a .click event on your button, send a few variables to a coldfusion file with a .get or .post routine and then submit your form. These technologies go hand in hand and by avoiding them because your new will just limit your capabilities. Being new, you could spend 1 hour and have a solid solution. — steve, Apr 24 '13 at 12:37

score 4 · Accepted Answer · answered Apr 24 '13 at 03:00

I work on a payment gateway and had the same problem as yours. This was my solution -

Post the values to a intermediate page called as 'requestHandler.cfm'.
requestHandler.cfm saves the values into database table.
Continue to creates a <form> with all the required values as <input hidden>. Place a submit button and also JavaScript to fire 'submit' in say 2 seconds. Also put a note that, "If the page does not refresh in some time, click the submit button". As you are not going to do any validation on the form, a 'submit' button will just submit the form with or without JavaScript being active.
The Creditcard company will process the information and reply back with the values to a 'responseHandler.cfm' page.
I shall update my data based on the 'primarykeyvalue' sent to them. (Or just any reference that can identify the user)

Database table sample

DatabaseDesign

The TransactionID will be '0' by default and will change to the number given by the credit card company
The paid flag which is default 'N' shall change to 'Y'
The Actual amount is what I have sent to be charged on the user credit card.
The Paid Amount should match the actual amount. This is to help me find if the details are tampered in any case by the user or middle man.

Redirecting the request using status code 302 is the HTTP way to do this. You don't need the javascript. — flup, Apr 24 '13 at 12:28
Thanks! This is similar to what I was thinking, but I like the addition of the note to tell the user to press "submit" if they aren't redirected right away. — bansheekitty, Apr 24 '13 at 12:30

score 0 · Answer 2 · answered Apr 24 '13 at 05:39

Handshake:

When a user is taken to the payment site, you should include a unique identifier to distingush the order, such as OrderID. Your payment provider must have some custom fields for your own use. Then, when the user is taken back to your site, the payment site response data should include the OrderID. That way you can match them. In other words, "handshake" is occured.

Intermittent successful payment:

On the listener, the page where the payment provider returns form data, you should implement a log to record from where the page is called and what data is sent.

"... is to change the form action to a page on our site, log the payment attempt, and then submit the form again to the credit card company." This is a doable solution.

Possible to log form submission?

2 Answers2