Prestashop: I have a dream: Order reference to Order ID

Hello @imartin1983,

Nice dream ! Reporting this issue is the first step to make it true 😄however I think you are missing some informations here.

Not using the numerical Order ID is actually made on purpose, because 1) this order is generated by mysql and 2) if someone knows we use the Order ID, he can actually guess other customers' order IDs and try to steal from you or from other customers using this piece of knowledge.

Basically, the "stealing" usecase is:

• I order from your shop
• I see I got order 172662
• I understand that order IDs are numeric and sequential
• I can call your shop phone number and say that I want a refund for order 172663 (and repeat for order 172664, 172665) ... or if there is a shipping tracking system using it I can use my knowledge to guess more order IDs and try to use this information to hijack some of these shipments

You see the idea ? It's a general good practice for software not to use numerical order IDs. There are additional reasons (unicity, sharing accross databases, database duplication process made easy ...) but let's say that it has been proven over years that using numerical order IDs generated from your database is going to mess with your shop at some point. Can lead the way to some phishing, stealing or hacking, this is not secure.

So "send a reference alphanumeric number to the customer" IS smart. It's actually the proper (meaning: secure) way to do it. The issue is on the bank side. Why cant they accept alphanumeric strings ? As you said there are multiple banks which accept it gracefully. Why some of them do not ? What are their reasons not to do it ? What is so complex about that ?

But I guess we're not going to be able to change these banks behavior, right ? 😛so maybe we can think about one way to workaround this issue. But no, we're not going to remove alphanumeric order numbers. PrestaShop security (and YOUR security) matters more than a banks Information System limitation.

Do you have examples of such banks ?

Hey matks,

I see your point. I agree security is key here.

But let's take ecommerce big boys - Amazon. It uses a randomly generated order numbers like 203-2791526-1249120 which serves for tracking primarily. Most big commerce uses random numeric order IDs. So there is no chance of guessing a random number order ID string, unless you're using explicitly sequential order IDs. But even if there is a sequential ordering a refund is issued on behalf of the same account that the payment came from.

So unless some crypto kid tries to hack our humble Amazon2 eshop, there is little chance of security concerns. And if that kid somehow guessed the 20-number random ID string, I'll personally ask him to place a lottery ticket for me. Cos that kid has some talents!

So I still think my dream is gonna come through one day. If we want to follow the big guys in ecommerce (which we do obviously) and we don't want to pi** banks and make our customers sad, because they can't pay their orders.
But...I don't see banks changing the SEPA system that has been around since the 60s, anytime soon. And banks love numbers in general. Just as we do. ;)

One day, matks, that dream will come true.

Cheers,
Martin

But let's take ecommerce big boys - Amazon. It uses a randomly generated order numbers like 203-2791526-1249120 which serves for tracking primarily. Most big commerce uses random numeric order IDs.

That looks better indeed ;) but as you can see there's still the - parts which make it a not fully numerical ID 😉. Also it's still painful to spell this on the phone 😅.

So using amazon-like order numbers would be a relevant suggestion, what do you think ?

I'm pinging Product Management team to discuss it @PrestaShop/prestashop-product-team

Yes, an ID like Amazon sounds good. They should have some experience with ecommerce. A product manager will make my dream come true...sounds good!

However I'm still wondering what reason the banks will be able to tell you about not accepting alphanumeric numbers 😛. I hope it's not "sorry, the database field can only accept numbers".

would it be difficult to let the end user choose the kind of ID they want, using some simple formula or parameters, and let a good default one in the configuration ?

Hi @matks,
Would it bring breaking changes and difficulties on an upgrade?

It seems it features requested many times by merchants on agency project. It will be interesting to add to the order page migration.

Hi @matks,
Would it bring breaking changes and difficulties on an upgrade?

Yes it would bring breaking changes if we modify the behavior but we can avoid this by allowing people to choose whether they want to use this behavior or the old behavior.

No difficulties for upgrade I think 🤔 we will not modify old order IDs, only the new order IDs would be generated using this strategy.

It seems it features requested many times by merchants on agency project. It will be interesting to add to the order page migration.

However this is quite a lot of job. It's not the same size as the mail theme refacto or the CLDR refacto, but this is nonetheless a big job. In fact changing the code is not so long, what is very long is to check everywhere in the code and the shop whether this breaks something 😄 as Order IDs are a central piece of data for PrestaShop and are used in a lot of places.

So it's a "few code, lot of verifications" kind of task. Then I advise not to do it along the page migration, it should be a dedicated work.

I see, thank for the clarification @matks . With all the big features coming up on the order page, it won't feet for this version. It probably will for the next.

In the meantime @imartin1983, the project is open source so if anyone you know or anyone who see the issue can do Pull Request (http://doc.prestashop.com/display/PS16/Contributing+code+to+PrestaShop?).