Handling of PayPal IPN: is necessary? Can I use another method?
https://stackoverflow.com/questions/3459919
-
27-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Reading PayPal developer documentation (and this is a lot of documentation) I'm not sure if IPN is mandatory or I can simply ignore it.
Of course, I must implement some other mecanism in order to know if the payment was correct. I thought doing something like this:
Create a new payment (via web service) with a different code in both returnUrl and cancelUrl. This codes are generated randomly for every payment and stored in DB.
When the user finishes the payment (OK or KO), PayPal will redirect its page to my site and I will be able to know if the code is correct.
If there is a problem (user closes window, response doesn't arrive, codes don't match...) will be handled manually looking the transactions on PayPal site.
Do you think is this ok?
Thanks.
Solution
No, I think that sounds awful.
The user could skip the payment step and simply edit together your required URL, then paste it into the browser address bar. That would give them free product.
You can use the PayPal SOAP APIs to verify the transaction once you receive the URL. You merely can't trust that URL blindly the second you receive it.
You'll need to be careful not to allow users to send you the URL of some other person's payment, and receive the product twice for that payment. (Once to real payee, once to fraudster...)
It's important that you verify that you were paid the correct amount. (Assuming you care that you were paid the correct amount.)
In general, when you interface with PayPal, whatever method you use, it is important that you understand software security and threat modelling. Otherwise, there is really only a small chance you will be secure from fraud.
OTHER TIPS
Paypal have designed their system to be as logically secure as they think it can. I would not start redesigning a system they have spent a long time developing and thinking about. Your just ignoring so many security features that are there for your benefit.
For one if those two keys are ever accessbile in raw format client side at any point, you have an easily hackable system. Simply click through the to Paypal payment page, then type the return address in your browser without actually paying, your system is going to treat it as a valid transaction unless you manually check for yourself before dispatching the goods (for egoods it would be too late though).
Or the hacker can guess the return key. It's going to have to be long, and highly randomised, if it's an incrementing key you again have a super easily hackable system.
For verifying a payment IPN is essential. Don't take shortcuts, do it right when there is money involved.
