--On 06/15/01 16:18:14 -0500 Anthony Monta chiseled:
Hi. I'm trying to set up a website that registers people for a conference. I'd like to restrict access to the conference registry form to people who have already paid to a PayPal account (i.e., registered). What's the most effective way to do this?
The solution I've come up with so far (I'm not a programmer by profession) is to have PayPal send customers who have paid to a dtml script that sets a cookie value and then redirects the customer to a form viewable only if the cookie has the correct value.
You can also get http_referrer which will either be paypal or the last page. What I do is set the cookie *before* i send them to paypal, then I update an object in the ZODB when they come back from paypal (checking the HTTP_REFERRER). From then on I check the object in the ZODB to see if they've paid, usually keyed on AUTHENTICATED_USER. This still allows someone to construct the right HTTP POST and make it look as if they paid paypal. If you really need to prevent that, you should probably use a session (from Core Session Tracking) that starts right before they get to paypal and expires right after they get back. Stuff all the information into the session tracking object, that way you know they're not making it up- the information was never on their end. This way, the cookie that stores the session id will be unique to that session, and no amount of premeditation will allow them to generate a false page. Hope that helps, -- emf "something witty" mindlace@imeme.net