Customer can open success page with parameters in URL, causing duplicate transactions in analytics

Question

On one of our Magento websites we found that anyone is able to view the success page of a specific order if they provide parameters in the URL. Customers can reopen, reload or bookmark URLs like this and end up making our Google Analytics code record multiple transactions when they actually happened only once.

The URL looks like this: https://www.magentostore.com/checkout/onepage/success/oide/102573/qide/88498/incide/233916/inv/1/

Anyone can go to this URL and see the success page with the respective order number on it.

Normally, when a customer tries to refresh the success page or browse to it with no parameters with the url https://www.magentostore.com/checkout/onepage/success they are brought to checkout/cart and told their shopping basket is empty.

Another one of our Magento stores always shows a plain checkout/onepage/sucess URL when an order is placed, while still showing the order number on the page and the customer can't revisit this page later.

I have found no redirects related to checkout, onepage, success or those parameters that would trim the URL and both Magento websites (both installed separately, single store) use the same core code of Magento CE 1.9.2.3

Answer 1

Found that our SagePay extension at version 3.5.1 was causing this and it had been fixed since version 3.6.1, as mentioned in the changelog

* Improvement: Don't allow success page to reload session more than once.

Previously it was reading the URL parameters and adding them to session data every time. Now it only allows anyone to see that page once since updating the SagePay extension to version 3.6.4.