On Sun, Jul 3, 2011 at 9:17 PM, Kirk Bailey <kbailey@xxxxxxxxxxxxxxxx>wrote: > ok, here's the deal; we sent someone to the paypal site for their purchase; > the site will use the palpal shopping cart. When they come back, there needs > to be a way to identify the product and the transaction so they an get the > product ONCE. Now for a single purchase, we can just send them to > (productname)thankyou.php and attach a magic cookie to the url as a query > string. this magic cookie can only be used once. THIS WILL NOT WORK IF WE > USE THE FULL SHOPPING CART AND THERE IS MORE THAN ONE PRODUCT TO DOWNLOAD, > it only works with a buynow button for one only product. > > This kind of functionality, if worked out in detail, will lend itself to > being adapted to MANY sorts of Eproducts, so I think there's an arguement to > be made that this is of benefit to a significant segment of the php > community. Well, at th4est them of us who like to get paid reliably, and not > get ripped off. > > A ROUGH STAB AT HOW TO DO IT FOR SINGLE ITEMS > As for one time only with buynow buttons: > Send the customer to paypal with a cookie from the top of a list. When they > come back, read the list's first entry. If it's there, make the download > link available. the download is in a secured directory, a la Apache's > directory securing methods. GIVE THEM THE PASSWORD. The user name is the > magic cookie; tell them this. When they go to that page, apache demands the > user name and password, which they give, and the page then (thanks to the > query string having the item name) makes a download link available. This > page also deletes that magic cookie from the list of them,so it can never be > used again. > > Discussion? > Only allowing them to access the URL once is a bad idea. If their download fails, is corrupt, or any number of other things go wrong (think accelerators, browser accelerators, etc) then you end up with a lot of support mail. Better to give them access for a short period of time. Personally I would generate a unique token linked to their account, or if no user system exists then link it to their order number. Stick that in a URL and forward them to it. That URL shows them the thanks page and links to download the product(s). Each of those links also contains the token. Expire that token after 24 hours, and on the page telling them it's expired give them a way to contact you just in case they haven't successfully downloaded the product yet. There is no need to use cookies. There is no need to use basic authentication (which is a horrible user experience). They come back from PayPal to a script that sets up their unique URL, then you take them to that URL. KISS it - the more complicated you make this the worse the user experience will be and it won't be any more secure than a time-limited unique token as described above. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/
