Worldpay is a popular payment system, and Kartris ships with a plugin to support it.
When a successful order is paid at Worldpay's payment pages, Worldpay makes a callback to Kartris at the following URL:
Kartris receives this callback, and if all goes well, it should receive order information within POST fields, update the pending order as 'PAID' and send confirmation emails.
However, some sites have persistently had callbacks failing. Worldpay will send a callback failure email to the address set up within the Worldpay panel, and indicate the problem as follows:
Error reported: Callback to http://demo.kartris.com/Callback.aspx?g=rbsworldpay&d=off: NOT OK, recevied HTTP status: 302
Curiously, some sites based on exactly the same version of Kartris seem to work ok, while others, even on the same server exhibit the 302-redirect problem.
The problem stems from the way the validateRequest functionality is handled in ASP.NET 4.0. This functionality provides a built-in filter mechanism against XSS. You will encounter this if you try to submit a form containing HTML for example.
In prior versions of ASP.NET, for cases where you need to submit HTML data, you could turn the validateRequest functionality off in several ways. Either through the web.config (globally or for specific folders and pages), or within the page directive at the top of an ASPX file.
But in ASP.NET 4.0, this XSS filtering mechanism was extended to apply to all requests, and not just pages with ASP.NET file extensions. And it was no longer possible to turn off requestValidate unless you also specified the ASP.NET 2.0 behaviour. This could be done as follows in the web.config:
<pages validateRequest="false" enableEventValidation="false" viewStateEncryptionMode="Always" />
<httpRuntime requestValidationMode="2.0" />
This code turns off validateRequest for the Callback.aspx page, and also ensures that this works by specifying the older ASP.NET 2.0 behaviour. Callbacks made to Kartris should no longer be redirected if the XSS filtering in ASP.NET thinks there is HTML or other suspicious content in the data Worldpay is posting back.
Assuming your other Worldpay settings are correct, you should have successful Worldpay callbacks working now.
Worldpay Setup (Kartris User Guide)
ASP.NET 4.0 breaking changes