@Jazzper - Is it possible that your users are clicking the back button after payment is completed on PayPal’s site?

@JediShark - I kinda doubt it, based upon our membership audience of retirees. Let me catch you up to what I’ve done since talking with Cristian…
I cloned the production site over to a dev sub-domain and tried to replicate the problem but could not do so (I may have mentioned that bit already). A day or so after that though, I had an idea based upon performance problems I was having with my personal website that uses the same hosting provider. One of their suggestions was to upgrade its version of PHP from v5.6 to 7.2 and add some memory usage parameters to the php.ini file.

So it hit me that when I created the new sub-domain for testing/troubleshooting this problem on our club’s membership site, it was created with the latest version of PHP. So I checked the version on our prod site and sure enough, it was still on v5.6 also. So I upgraded it to v7.2 on Feb. 16th, I believe. Since then we’ve had no double-payments but we haven’t really had a lot of renewals or new sign-ups:

• 1 on the 16th
• 3 on the 17th
• 1 on the 18th
• 14 on the 19th (nite of our meeting)
• 1 on the 20th
• 2 on the 21st

So I still have my fingers crossed!!

I’m going to play around some more on the dev site to check out where the possibility might be for users to double-click a Submit button (maybe do some print screens as additional ammo to show users what not to do). Cristian also mentioned something about the possibility of putting some JavaScript in to disable clicking the Submit button twice. But I don’t know anything about JavaScript coding so I asked him for specifics on that bit.

We’ve got house guests thru Sunday though, so my time is limited until next week. Sorta wish I could say that I could have reproduced the problem on the dev test site but…

thanks for following up.

Cristian also mentioned something about the possibility of putting some JavaScript in to disable clicking the Submit button twice. But I don’t know anything about JavaScript coding so I asked him for specifics on that bit.

I haven’t needed to do it myself yet, but I know it can be done, and it’s something many want to do to avoid repeated form submissions. https://www.google.com/search?q=disable+form+button+after+submit

So I upgraded it to v7.2 on Feb. 16th, I believe. Since then we’ve had no double-payments

That is great news! Thank you for your update.

Keep an eye on that for a while and let us know if you get a double payment again, please.

Well, it’s been a while but it finally happened again – grrrr…

I thought (hoped) that the upgrade to latest version of PHP a couple of weeks ago might have resolved things but yesterday (3/3) we had a double payment at 15:47 and 15:48 when a member renewed her membership for another year. I did have the debugging logs still turned on per your suggestions and I do see the duplicate payments in the gateway-core-ipn.log and the paypal-api.log files. Is there something specific that I should be looking for in those files or any others that would point to the problem?

Thanks!

Thanks for the update, Chuck.

Well, it’s been a radical improvement to only have one after so long. Let’s look into it closer then.

Do the entries for the double charge, have the same transaction or subscr ID, or are they different from each other?

Could you ask the customer if she clicked the button more than once, or if she remembers what she did through the checkout? Any hint we may get from the user actions may be helpful to spot how to reproduce the issue, and then locate the source of the behavior.

I sent her a email asking if she remembered what she did but haven’t heard back from her yet. Looking in the paypal-api log file, I see 2 different transaction id’s. I’m not sure if that text contains confidential info so I’ll send it to you in a private message.

Hi Cristian,

Hopefully that log file attachment came thru OK this time. I heard back from the other woman who had the latest “double payment” and it was definitely a senior moment on her part! She didn’t realize the email address on the PayPal account was her husband’s so when she didn’t get the normal email from PayPal, she did it again 2 hours later.

Oh well…at least that one is explainable!!
Thanks!

Thank you for the update!

The is was just a normal mistake, the site seems to be working fine then, right? I’m so glad that you’re have getting those double charges like before.

Let me know if you need help again.

Well…I wouldn’t say it’s working normally. There’s still the woman who had the double payments a minute or so apart because she “clicked somewhere twice”. Until I can figure out how to completely eliminate that possibility, I’m sure it will happen again and again.

I don’t understand why the plugin even allows that possibility. Shouldn’t a payment Submit button be greyed out automatically after being clicked once to make it impossible for something like that to happen?

Hi Cristian,
Well, I’m 0 for 3 in sending you that log file snippet. First one was attaching it as a .rtf file; second was attaching it as a .txt file; then yesterday I just cut-and-pasted the text into the email. All 3 were bounced with that message above so I’m assuming the last one didn’t reach you either. Any suggestions on how to send this relatively small bit of text? Thx!

I think the problem is that s2Member relies on the WordPress function wp_create_nonce() to create the nonce that authorizes the processing of the form. Unfortunately, this doesn’t create a genuine nonce (a "number used once’) but only a token that expires after a time limit. So it can be used more than once, and thus permits forms to be resubmitted.

What I have done to overcome this problem in my own custom forms is to use WPSimpleNonce (added as one file as an mu-plugin to generate a genuine nonce, and then place that in a hidden form field instead of using wp_createNonce(). A fuller explanation may be found here: https://pantheon.io/blog/nonce-upon-time-wordpress.

Maybe Cristian might be able to build the WPSimpleNonce approach into a future version of s2Member.

Thanks for that link, Tim. It was certainly interesting reading! Maybe in a couple of years I’ll be able to fully understand it but at this point, it’s definitely above my pay grade-

Hi Cristian,

Looks like you’ve been playing on the dev site I setup-:). Thanks!
Those lines you put in the .htaccess file:

BEGIN s2Member GZIP exclusions

RewriteEngine On RewriteBase / RewriteCond %{QUERY_STRING} (^|\?|&)s2member_file_download\=.+ [OR] RewriteCond %{QUERY_STRING} (^|\?|&)no-gzip\=1 RewriteRule .* - [E=no-gzip:1] # END s2Member GZIP exclusions

made the site throw up a 500 error so I reverted back to the original one just a few minutes ago. No worries though - you and I are the only 2 people using that test area so feel free to play around.

Just out of curiosity…did you ever get that log file I sent you? the one that got bounce back to me 3 times when I sent it as an attachment in a private message then last tried just cutting-and-pasting the test into a message.

Hi Chuck,

I did review the site and logs a bit, didn’t edit the .htaccess file. Weren’t those added by s2Member from the beginning?

Maybe something else changed on your installation that caused these to throw a 500 error?

I did get the log entries when you put them in the body of the message. I thought I replied to you there… Oh, I see, I had typed the reply but left it as a draft. Sorry about that. I replied now.