•  30-05-2022
  •  | 
  •  

Question

Summary: I want to use the returnUrl as a proof that the transaction has been accepted by PayPal.

I'm implementing a very basic purchase workflow based on PayPal.

Everything works nice, the User clicks on pay, the User goes to PayPal, PayPal sends the User to my returnURL... and I'm accepting the payment in this last step.

I know I would have to implement an IPN endpoint and accept the payment there, but this project is very basic and I'm too old or too lazy to implement all this asynchronous behavior which can be a hell of edge-cases.

Would be nice if I would just make the returnUrl more confident, difficult to fake.

I was thinking that there would be the possibility that in the returnURL there would be included a checksum signature based in a secret key stored in the PayPal account and in the actual transaction token

I don't know if this exists, I didn't find any of this into the documentation, any suggestion to make the returnUrl more confident is welcome.

Also if someone thinks I'm completely wrong and the returnUrl is never gonna be a proof that the transaction has been accepted please express your self.

Was it helpful?

Solution

When you're just doing the return URL you need to post to PayPal again to verify the transaction using your PDT token.

Say your return URL is Thanks.aspx:

"From the code-behind of Thanks.aspx, you'll parse the tx value and make an HTTP POST to https://www.paypal.com/cgi-bin/webscr with the following parameters: cmd=_notify-synch&tx=[TransactionID]&at=[PDTIdentityToken]."

This will respond with whether or not that request was valid.

The problem is that this page isn't guaranteed to get hit. The user could close their browser, or their internet could get cut off, or anything else.

The IPN will be getting hit from PayPals servers, and you really can't beat that.

It's pretty easy to set up, but I suggest reading through this document which will explain the PDT and IPN methods, and gives an easy way to figure out what you need.

http://www.codeproject.com/Articles/42894/Introduction-to-PayPal-for-C-ASP-NET-developers?msg=4382854#xx4382854xx

OTHER TIPS

After completing an installation for Express Checkout I realised how it could be exploited.

Even though I am creating a unique invoice number and returning to mark that as paid, I found that it could still be exploited by a user changing the invoice parameter in the return link. Of course there were already checks to ensure that any invoice could only be paid once, but I needed to make it hack proof.

So what I finished up doing was adding some extra checks to ensure that the invoice in question was the last invoice assigned to that user. Yes, the same session ID is maintained aven after a visit to Paypal and back.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top