Posted 01 November 2002 - 06:37 PM
After reading much of the material available on single, basket and IPN based transactions I have a few concerns/questions.
It is my understanding customer X does a POST to paypal from the web site of merchant Y. The form data in that post came from merchant Y's website as described in countless examples. Customer X then logs into paypal and initates a payment for the goods/services. Merchant Y then receives an IPN call regarding the transaction.
1. What is preventing Customer X from spoofing a POST call to paypal for the goods/services, but with significantly lower prices? say $1 for a $300 item?
2. When paypal sends the IPN call to merchant Y, that seems to be the opportunity to validate the transaction. Assuming the merchant validates the transaction how does it tell paypal something is wrong? Every example provided, or talked about seems to imply that paypal is the *only* authority on validating a transaction. It seems logical that customer X, Paypal and merchant Y, all need to validate the transaction before it becomes "valid"... correct? How is this suppose to work?
3. How many times does paypal attempt IPN and if multiple times, how much time inbetween?
4. What happens if paypal never completes the IPN call? Servers occationally go down, and in the off chance a would-be buyer posts just as the merchants server goes offline... how does the process handle that situation?
As mentioned, I am new to paypal so forgive my ignorance on the subject. Perhaps I overlooked a document or two.
- Mymnrumourf, xxkalliy and Phenembency like this
Posted 02 November 2002 - 12:41 PM
Right, paypal receives the POST from the customer, and the merchant receives the IPN call from paypal. Paypal requires the merchant to then POST back with the encrypted data to complete the cycle. That I understood.
You mostly answered my first question regarding the price check, although it seems the merchant is provided the data in a not so ideal form - although workable.
You also answered (and I saw on another post) what IPN does if it does not receive a HTTP-200 reply, it tries again. I read it's upto 30 times with increasing time gaps as you indicated - thanks.
The part I still don't understand is how the merchant who doesn't like the transaction "rejects" it. From your message it seems the merchant would need to ignore the IPN call 30 times spanned over what is most likely a multi-day period. It appears the IPN call only accepts an HTTP-200 reply, and it views an HTTP-200 reply as merchant acceptance. I hope that is not that case, can you clarify that part for me? That's the part I'm having the most trouble with.
One more thing, when should the merchant perform the price-check, when it recieves the IPN or when it receives the reply to the post-back? It seems my two questions are tied together, does the merchant send an error response after a successful post-back? If not when?
- xxkalliy likes this
Posted 03 November 2002 - 11:24 AM
1. customer sends POST to paypal
2. paypal sends POST to merchants IPN page
3. merchant prepares POST-back data
4. merchant sends POST-back to paypal
5. merchant recieves validation response from paypal
6. merchant (optionally) sends email to customer
7. merchant ends initial IPN page post with HTTP-200
8. paypal receives the HTTP-200 and completes transaction
Based on your comments, at #3 the merchant reviews the data such as a price check. In the event the price check fails, does the merchant skip steps 4 through 6 and just continue at #7? or do something different?
Shannon, in your last message I thought you indicated to do all 8 steps for successes and failures, with one difference - send the customer an email about a problem. To me that would imply there is no way for the merchant to reject the transaction other than email intervention after the fact. I do not believe that is what you meant to say - I hope
I do understand that once #7 and #8 are complete, paypal will stop sending IPN posts for that specific transaction. I am now focused on the behavior of the post-back in #'s 4,5, and 6.
Sorry to be such a pest about this, but there is no decent sequence diagrams available on the subject. None of the examples show handling errors, or talk about the systems points of failure.
Posted 05 November 2002 - 09:18 AM
It's not the answer I was hoping for, but it does explain things.
IPN is strictly notification after the fact, and does not support merchant participation in the transaction. Issues are to be resolved by the merchant in a manual process.
I may have over looked this in the PayPal documentation.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users