Posts Tagged ‘Web Security’

PayPal IE8 Issue Demystified

Monday, November 30th, 2009

Search the web and it will become clear that IE8 (Internet Explorer version eight) and PayPal do not play nice when dealing with e-commerce store logins; especially with PayPal express checkout and website payments standard/pro. PayPal acknowledges that this issue exists but instead of shedding light on the problem they tell customers to back track to IE7; ouch.

When I first came across this issue a month or so ago this was a new problem with not much information out there to help figure out what was going on. As a result, I spent 3 to 4 days tracking down the problem and feel I should share my knowledge.

The Issue – Compatibility View

In short, the issue has to do with the new IE8 Compatibility View feature (the IE7 rendering engine within IE8) and users who choose the “Express Setup” option when first running IE8. The only other option to pick from is  Custom Setup; thus, one can assume that 9 times out of 10 Express will be picked. Unfortunately, the PayPal issue lies with Express Setup for it enables Compatibility View by default by turning on an option called “Include updated website lists from Microsoft” (to see this option go to the Tools Menu > Compatibility View Settings); below is a screen shot of this (click the image to enlarge):

IE8 Compatibility View Settings Dialog

Microsoft tells developers that this option downloads monthly to each IE8 client to tell the application which websites/domains need to be rendered in Compatibility View. I located this file and opened it with Excel and it showed that PayPal made it on this list during IE8 beta testing. As a result, if (1) the aforementioned option is enabled/checked and (2) you are validating the HTTP_USER_AGENT (like you should); your customers will experience log out issues when returning from PayPal during your checkout process. Reason being, users will return from PayPal with an IE7 User Agent instead of the IE8 User Agent  due to compatibility view.

The Solution

Sadly, there is no easy solution. I tried to making IE8 Emulate IE7 with no success. Knowing that most secure web applications will check the HTTP_USER_AGENT (the cause of the problem) you have to find a way to fix it.  Some e-commerce solutions allow you to disable the HTTP_USER_AGENT check but in reality that makes website is less secure. The best solution is to be honest with your customer by providing a dialog (use the IE conditionals comment tags) that informs them of the issue and what they should do; for example (click the image to enlarge):

IE8 PayPal Warning Dialog

I was unsure if the dialog would work; but I can say that since adding it to a handful of the e-commerce sites I  have had zero support tickets; whereas, there were daily support requests before.