1

For example;

Users go to buy a product on a website, they go to PayPal checkout and post checkout PayPal sends them to success.html

Is it possible to ONLY allow access from PayPal.com for success.html, And for anyone who tries to type in index/success.html directly, setup a redirect.

socialenvy
  • 11
  • 2
  • https://github.com/paypal/ipn-code-samples – Pedro Lobito Oct 11 '15 at 12:05
  • Check for the referer header ? – frz3993 Oct 11 '15 at 12:06
  • We can avoid it by validating transaction id which would be send by payPal – kannan Oct 11 '15 at 12:08
  • You can only do this on client side. So it means you will use javascript. You can see your solution on this answer: http://stackoverflow.com/a/5788206/2104879 – mertyildiran Oct 11 '15 at 12:09
  • Though such configuration is possible based on the "referrer uri" it is highly insecure, since every noob can easily forge that. You need session management with authentication in some form, no way around that. – arkascha Oct 11 '15 at 12:09
  • I would not use Javascript for this. You should start by converting success.html to php and check if Paypal is sending you authentication parameters. Then if the request does not authenticate, redirect. – Edward Oct 11 '15 at 12:17

1 Answers1

0

You can check the session when the user returns to the success.html page. If you can't cross reference a payment for this session, you could then display an error or redirect the user.

When you use paypal as a payment provider they will normally send a seperate request to a different URL on your site verifying the payment which you can then cross reference when the user hits success.html to ensure that the user really had paid.

If you don't have this set up in your paypal settings, there is nothing to stop a user, or some device crawling after the user, from hitting the page.

Using the referer HTTP header is unreliable as it can be spoofed and many privacy-related browser extensions will either remove it or set it to an unrelated URL.

Dezza
  • 1,094
  • 4
  • 22
  • 25