Issue with PayPal Express and Customer Checkout Registration in Magento
Recently I discovered a bug in the core Magento 1 PayPal Express extension that leads to the user being redirected to the home page after PayPal checkout with no error message.
As the investigation was a rather lengthy process, I’ll tell you the details and of course the easy fix in this post here.
What is the reason for the bug?
This bug always occurs if a user creates a new customer account during checkout and pays with PayPal Express. After redirect from PayPal the user first is being redirected to the PayPal Express controller and from there redirected to the default order success page. On that page he is then automatically again redirected to the home page as we can easily see in the browser request tool:
After the redirect from PayPal,
Mage_Paypal_Controller_Express_Abstract::returnAction() internally redirects to
preDispatch() method there then
Mage_Core_Model_Session_Abstract_Varien::_validate() is called to validate
the customer session. Especially it is validated that for security reasons the timestamp of customer password creation may not be after the session has been created.
The timestamp of customer password creation is a separate attribute on the customer entity, if not available the customer account creation timestamp is used.
Somehow in this PayPal method - in contrast to the default one page checkout in
Mage_Checkout_Model_Type_Onepage::_prepareNewCustomerQuote() - it was forgotten to explicitly set the password creation timestamp so the account creation timestamp will be used for the check. But unfortunately this timestamp is after the session has been created and therewith the check fails and the session is destroyed in
Mage_Core_Model_Session_Abstract_Varien::validate() and the customer is redirected to the home page.
How can PayPal Express checkout and customer registration be fixed in Magento 1?
The fix is as easy as to rewrite the method
Mage_Paypal_Model_Express_Checkout::_prepareNewCustomerQuote() and add the following code before the customer will be saved:
$passwordCreatedTime = $this->getCustomerSession()->getData('_session_validator_data')['session_expire_timestamp'] - Mage::getSingleton('core/cookie')->getLifetime(); $customer->setPasswordCreatedAt($passwordCreatedTime);
This is by the way the same code that is also used in
With this bugfix the password creation timestamp attribute on the customer is set and correctly taken for comparison for the session validity.