Search code examples
securitypaypalpaypal-ipnverificationpaypal-buttons

PayPal button return url usage


I've got a PayPal html button on my site which should return back to my website with data. My understanding is that there's a return url (with a return method) and a notify url which can do this. The notify url requires an IPN listener which seems like it does a verification check, which is good. I'm not seeing any such verification check for the return url, but it seems like I would want to update the return url based on the result from a verification check in most cases (eg whether the payment was successful). Moreover, I need to know PayPal actually requested the return url to update the db, otherwise this seems to open the door to csrf attacks via return url.

I'm new to PayPal buttons, but I've not seen anything about using notify url and return url together. So what should I being doing in order to resolve these concerns with the return url?


Solution

  • To relieve the confusion:

    1. The return_url just names the page of your webapp you want to return to when the Paypal process is completed. There is also a cancel_url which can be used if you want a separate page for user cancels. Returning to the return_url does not mean that you have the money. It does mean the customer has completed the Paypal transaction, but there could be funding delays and there could be an eventual payment failure, so don't count your chickens yet.

    2. The notify_url is the URL of a POST handler in your webapp. Not a page. The POST handler should perform the verification step you mentioned, then it should examine the txn_type and other variables to see what is being notified. It could be a payment, subscription, termination, payment failure, reversal, cancelled reversal ... Only some of these transaction types mean that you have actually received money from the customer.

    I need to know PayPal actually requested the return url to update the db

    Not in the slightest. Take no business actions here.

    • On the return_url page you should thank them for their business and tell them the action/purchase/subscription etc. that they requested will be finalized once the Paypal payment process is complete.

    • The notify_url handler should handle all the business actions associated with receiving a payment, getting a reversal, subscription cancellation, etc. The return_url and cancel_url pages should not do any of that. No money => no action yet.