When you build your DoExpressCheckoutPayment request (or other requests that may set the IPN NOTIFYURL), set the NOTIFYURL to something like:
PAYMENTREQUEST_n_NOTIFYURL=https://YOURHOST/?ipn_secret=yoursecret
Paypal then send you an IPN message with the POST method, but in the URL (and consequently in your $_GET variable), it will include your secret variable (ipn_secret in this case) that you can check to match.
As the DoExpressCheckoutPayment request went through HTTPS (SSL secured) you can be sure only Paypal and you knows the ipn_secret value.
This way you can avoid checking that the message came from an authorized source (and by source I mean their IP address pool, which they can change at any time without notice).
Of course, you still have to reply the exact message you received in the same order and wait for the VERIFIED or INVALID strings, but by doing this you can avoid to connect to their servers each time you get a fake message from someone who is NOT Paypal (spambots and the like) preventing a denial of service on your server because you HAVE to connect and send the message to validate it.
Hopefully this will help someone, since I didn't saw anything in the IPN documentation or the forums regarding this issue.
Carlos
No comments:
Post a Comment