Hi,

I use the option "PayPal" for some payment processing. The product is digital, and I have prevented visitors from finding out the url of the thankyou.html (download) page.

The problem is that once thankyou.html is known, it can be passed around and accessed. Can anyone come up with a code to put on "thankyou.html" that can prevent most people from accessing it unless PayPal sent them there, that will work in most browsers.

Remember that PayPal sends them to thankyou.html

Thanks

if (document.referrer!="http://yourdomain/paypal.html") //must be absolute URL
location.href="paypal.html";//or anywhere you want

Originally posted by glenngv
if (document.referrer!="http://yourdomain/paypal.html") //must be absolute URL
location.href="paypal.html";//or anywhere you want

In that case I would just disable javascript then go to the thank you page. Or use one of the various methods to just snatch the source code of that page and grab the download link and bypass things.

To do this effectively you need to use a server-side language. I am assuming the thankyou page exists on your server? Whatever server-side language your host supports use that then grab the referrer that way and display the download link if it is valid. In this way the download link will never even be sent to the browser unless the referrer is valid.

As Spookster stated, the only effective way is with some server side scripting.

While verifying the referrer is a good first step, many hackers have ways to spoof the referrer value. I believe that with Paypal you can specify some custom data to return to your thank you page as a URL parameter upon return. A better check would be to create a GUID or UUID prior to sending the client to the Paypal site and store it locally on your sever in a session variable. Pass this value to Paypal to return to your thank you page. When the thank you page is accessed, verify the value matches the value stored in your session variable and return an error if it does not.

On a related note, what is your monthly transaction volume and average dollar amount per ticket? If either or both are above a certain threshold (dependant on many factors but a rule of thumb that I usually use is greater than 20 transactions per month or above $100 per ticket), a more traditional merchant account/gateway may be a better solution -- both in costs and customer satisfaction.

Hi,

I like what both of you are suggesting. The server I'm using supports PHP as well as CGI.

I don't remember seeing anything like that in PayPal. If someone who knows what their doing doesn't mind and has the inclination, I would greatly appreciate some code that would accomplish this.
I would even give you the product FREE, if it works.

A better check would be to create a GUID or UUID prior to sending the client to the Paypal site and store it locally on your sever in a session variable. Pass this value to Paypal to return to your thank you page. When the thank you page is accessed, verify the value matches the value stored in your session variable and return an error if it does not.



Thanks to you all

In quickly reading over the Paypal manuals, I don't see anyway of passing custom information that can be passed to the thank you URL as a URL parameter in the basic Shopping Cart API. It appears that custom data can be passed by using the Instant Payment Notification API but I'm not sure how much work you would need to do to your application to support that level?

Good luck!!!