Search code examples
securitypaypalreturnurl

PayPal returnURL security


Summary: I want to use the returnUrl as a proof that the transaction has been accepted by PayPal.

I'm implementing a very basic purchase workflow based on PayPal.

Everything works nice, the User clicks on pay, the User goes to PayPal, PayPal sends the User to my returnURL... and I'm accepting the payment in this last step.

I know I would have to implement an IPN endpoint and accept the payment there, but this project is very basic and I'm too old or too lazy to implement all this asynchronous behavior which can be a hell of edge-cases.

Would be nice if I would just make the returnUrl more confident, difficult to fake.

I was thinking that there would be the possibility that in the returnURL there would be included a checksum signature based in a secret key stored in the PayPal account and in the actual transaction token

I don't know if this exists, I didn't find any of this into the documentation, any suggestion to make the returnUrl more confident is welcome.

Also if someone thinks I'm completely wrong and the returnUrl is never gonna be a proof that the transaction has been accepted please express your self.


Solution

  • When you're just doing the return URL you need to post to PayPal again to verify the transaction using your PDT token.

    Say your return URL is Thanks.aspx:

    "From the code-behind of Thanks.aspx, you'll parse the tx value and make an HTTP POST to https://www.paypal.com/cgi-bin/webscr with the following parameters: cmd=_notify-synch&tx=[TransactionID]&at=[PDTIdentityToken]."

    This will respond with whether or not that request was valid.

    The problem is that this page isn't guaranteed to get hit. The user could close their browser, or their internet could get cut off, or anything else.

    The IPN will be getting hit from PayPals servers, and you really can't beat that.

    It's pretty easy to set up, but I suggest reading through this document which will explain the PDT and IPN methods, and gives an easy way to figure out what you need.

    http://www.codeproject.com/Articles/42894/Introduction-to-PayPal-for-C-ASP-NET-developers?msg=4382854#xx4382854xx