Last week we found that our affiliate tracking endpoint was logging clicks correctly but failing to attribute purchases. The cause was subtle: server-side session held the affiliate code, but the purchase flow read from a cookie that was never set.
Two-line fix in AffiliateController@track: set the mp_aff cookie alongside the session. Now attribution survives across browser restarts and incognito sessions.
The lesson: end-to-end test attribution chains in production-like conditions. Unit tests that mock the session pass even when the real flow is broken.