From e822824d8b012bbadd06c31f410dbe2bdf65f543 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Sun, 9 Aug 2020 13:17:33 +0200
Subject: move order-ID into cookie

---
 design-documents/007-payment.rst | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

(limited to 'design-documents/007-payment.rst')

diff --git a/design-documents/007-payment.rst b/design-documents/007-payment.rst
index a4091cb0..89aae5de 100644
--- a/design-documents/007-payment.rst
+++ b/design-documents/007-payment.rst
@@ -179,23 +179,25 @@ Covered Scenarios
   It will then prove the payment of the **old** order ID under the **new** session ID.
 
 
-Problematic Scenarios
----------------------
+* **Bookmarks of Lost Purchases / Social Sharing of Fulfillment URLs**
+
+  FIXME: explain how we covered this by moving order ID into session cookie!
+  Let's say I bought some article a few months ago and I lost my wallet. I still have the augmented fulfillment URL
+  for the article bookmarked.  When I re-visit the URL, I will be prompted via QR code, but I can *never* prove
+  that I already paid, because I lost my wallet!
 
-Bookmarks of Lost Purchases / Social Sharing of Fulfillment URLs
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  In this case, it might make sense to include some "make new purchase" link on the client order status page.
+  It's not clear if this is a common/important scenario though.
 
-Let's say I bought some article a few months ago and I lost my wallet. I still have the augmented fulfillment URL
-for the article bookmarked.  When I re-visit the URL, I will be prompted via QR code, but I can *never* prove
-that I already paid, because I lost my wallet!
+  But we might want to make clear on the client order status page that it's showing a QR code for something
+  that was already paid.
 
-In this case, it might make sense to include some "make new purchase" link on the client order status page.
-It's not clear if this is a common/important scenario though.
+  The same concern applies when sending the fulfillment URL of a paid paywalled Web resource to somebody else.
 
-But we might want to make clear on the client order status page that it's showing a QR code for something
-that was already paid.
 
-The same concern applies when sending the fulfillment URL of a paid paywalled Web resource to somebody else.
+
+Problematic Scenarios
+---------------------
 
 The Back Button
 ^^^^^^^^^^^^^^^
-- 
cgit v1.2.3