Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PayPal IPN and "Shared Secrets" or "Post Backs"

Posted on 2009-04-02
4
Medium Priority
?
1,343 Views
Last Modified: 2013-11-29
Half of this is just me venting so bear with me...

First of all, the PayPal documentation is a joke.  The manual page for IPN...
https://www.paypal.com/cgi-bin/webscr?cmd=p/xcl/rec/ipn-manual-outside

Directs you to this pdf...
https://www.paypalobjects.com/WEBSCR-560-20090326-1/en_US/pdf/PP_OrderManagement_IntegrationGuide.pdf

Which is nothing more than a redirect to this pdf...
https://cms.paypal.com/cms_content/en_US/files/developer/PP_OrderMgmt_IntegrationGuide.pdf

Then instead of going to the manual page, go to the technical documentation page...
https://www.paypal.com/cgi-bin/webscr?cmd=p/xcl/rec/ipn-techview-outside

Then at the bottom of that it says:
"For a complete list of all IPN variables and detailed instructions on how to use Instant Payment Notification, please refer to the Website Payments Standard Integration Guide" which is a link to this pdf instead:
https://www.paypalobjects.com/WEBSCR-560-20090326-1/en_US/pdf/PP_WebsitePaymentsStandard_IntegrationGuide.pdf

The IPN section in that doc then simply references another doc, "Order Management Integration Guide", which by title is the same doc that you eventually get to with the
"manual" page.  But guess what, it goes to a different link, which then does another redirect to here:
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/library_documentation

Are you kidding me?  This creates a real problem for me.  I'm not the type of developer that just codes something until it works.  Sometimes that's ok, but when were talking about securing real money, there's not much I'm willing to leave to chance and I need to know the "why" to every line of code.

That said (yes finally :) ), I'm at a sticking point.  The first document gives you the option of "shared secret" vs "post back" for IPN validation.  Shared secret was the easy choice for me as a simple salted hash gave me a perfect secret that I can generate per order plus the documentation made it sound like the prefered method.  

But then on another obscure page...
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_html_instantpaymentnotif
it says:
"PayPal then sends confirmation back to your server with a single word, "VERIFIED" or "INVALID", in the body of the response. Your IPN script should then post back a 200 OK response to prevent additional attempts by PayPal to post your transaction data. If PayPal does not receive the 200 OK response from your server, PayPal will resend the notification for up to four days."

This makes it sound as though I must do the post otherwise I will continue to get IPNs.

In the end, it's not a huge deal for me to just do the post to be safe, but I was hoping that somebody might be able to offer some real clarification to paypals pile of garbage documentation.  If not, I'd say go with google checkout instead :P.
0
Comment
Question by:b_levitt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:David H.H.Lee
ID: 24057892
Hi b_levitt,
I'm merely getting mad about paypal integration initially. But, I've wiped out my doubt after i meet this article:
http://www.west-wind.com/presentations/PayPalIntegration/PayPalIntegration.asp
Give yourself sometime to go through each of explained before start the Paypal integration regarding the guidelines that conveyed there. I'm sure you'll get better free Paypal.net component from Google, but take that as starter and it is really good explained for apprentice in Paypal integration.




0
 
LVL 11

Author Comment

by:b_levitt
ID: 24059966
thanks x_com.

Ironically, I emailed Rick directly a couple weeks ago.  And yes he does provide a complete solution using IPN post-backs.  However, my question is do I NEED to do a postback?  The documentation seems to say that shared secrets are a replacement, but other documentation seems to say the contrary.  In the end I'm just going to do the shared secret AND the post-back for the sake of wrapping this up.  But I was still hoping to find somebody with a definitive answer.
0
 
LVL 29

Accepted Solution

by:
David H.H.Lee earned 1500 total points
ID: 24074187
Hi b_levitt,
It depend your architecture design for "postback" or "shared secret" solution. If the solution is using "shared secret", those security's information may be prone for hijack issue since the posted information is exposed in the querystirng. I'll say go for "postback" solution since the posted information can be embedded and secured before user continue the final payment in paypal's site based on agreed posted payment particular. I'm sure you can find this mentioned in Rick's solution.

Check this site for further clarification:
http://www.pdncommunity.com/pdn/board/message?board.id=ipn&thread.id=13124
http://www.pdncommunity.com/pdn/board/message?board.id=ipn&message.id=17519

0
 
LVL 11

Author Comment

by:b_levitt
ID: 24077333
Thanks x_com.

That second post gave me my answer.  I thought postback was a requirement to stop the IPNs, and it turns out it is not.  So shared secrets is what I'm going to use.  I'm not worried about hijacking.  I have a salted hash (sha256) digest that is unique per order and will be very secure.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
While opting for any web-to-print solution, you need to discuss with your team and some of your end users and know their opinions about your decisions. In this article we list down some questions you need to ask yourself.
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question