On Sun, Jul 3, 2011 at 9:17 PM, Kirk Bailey <kbai...@howlermonkey.net>wrote:

> ok, here's the deal; we sent someone to the paypal site for their purchase;
> the site will use the palpal shopping cart. When they come back, there needs
> to be a way to identify the product and the transaction so they an get the
> product ONCE. Now for a single purchase, we can just send them to
> (productname)thankyou.php and attach a magic cookie to the url as a query
> string. this magic cookie can only be used once. THIS WILL NOT WORK IF WE
> it only works with a buynow button for one only product.
> This kind of functionality, if worked out in detail, will lend itself to
> being adapted to MANY sorts of Eproducts, so I think there's an arguement to
> be made that this is of benefit to a significant segment of the php
> community. Well, at th4est them of us who like to get paid reliably, and not
> get ripped off.
> As for one time only with buynow buttons:
> Send the customer to paypal with a cookie from the top of a list. When they
> come back, read the list's first entry. If it's there, make the download
> link available. the download is in a secured directory, a la Apache's
> directory securing methods. GIVE THEM THE PASSWORD. The user name is the
> magic cookie; tell them this. When they go to that page, apache demands the
> user name and password, which they give, and the page then (thanks to the
> query string having the item name) makes a download link available. This
> page also deletes that magic cookie from the list of them,so it can never be
> used again.
> Discussion?

Only allowing them to access the URL once is a bad idea. If their download
fails, is corrupt, or any number of other things go wrong (think
accelerators, browser accelerators, etc) then you end up with a lot of
support mail. Better to give them access for a short period of time.

Personally I would generate a unique token linked to their account, or if no
user system exists then link it to their order number. Stick that in a URL
and forward them to it. That URL shows them the thanks page and links to
download the product(s). Each of those links also contains the token. Expire
that token after 24 hours, and on the page telling them it's expired give
them a way to contact you just in case they haven't successfully downloaded
the product yet.

There is no need to use cookies. There is no need to use basic
authentication (which is a horrible user experience). They come back from
PayPal to a script that sets up their unique URL, then you take them to that
URL. KISS it - the more complicated you make this the worse the user
experience will be and it won't be any more secure than a time-limited
unique token as described above.


Stuart Dallas
3ft9 Ltd

Reply via email to