Hi. I'm trying to set up a website that registers people for a conference. I'd like to restrict access to the conference registry form to people who have already paid to a PayPal account (i.e., registered). What's the most effective way to do this? The solution I've come up with so far (I'm not a programmer by profession) is to have PayPal send customers who have paid to a dtml script that sets a cookie value and then redirects the customer to a form viewable only if the cookie has the correct value. But this model is insecure because there's nothing to prevent someone who *hasn't* paid to PayPal from running the script if they know what its URL is; and if I set some security block on it in Zope, then it wouldn't run when people who *have* paid were directed there. Obviously I'm missing something or just not looking in the right place. Maybe PayPal's confirmation email could be used in some way? Any pointers/help would be greatly appreciated. Cheers, Anthony
On 15 Jun 2001 16:18:14 -0500, Anthony Monta wrote:
Hi. I'm trying to set up a website that registers people for a conference. I'd like to restrict access to the conference registry form to people who have already paid to a PayPal account (i.e., registered). What's the most effective way to do this?
The solution I've come up with so far (I'm not a programmer by profession) is to have PayPal send customers who have paid to a dtml script that sets a cookie value and then redirects the customer to a form viewable only if the cookie has the correct value. But this model is insecure because there's nothing to prevent someone who *hasn't* paid to PayPal from running the script if they know what its URL is; and if I set some security block on it in Zope, then it wouldn't run when people who *have* paid were directed there. Obviously I'm missing something or just not looking in the right place. Maybe PayPal's confirmation email could be used in some way?
Ask paypal, they have a method for payment confirmation. it isn't pretty, and I haven't done it in zope/python yet.
--On 06/15/01 16:18:14 -0500 Anthony Monta chiseled:
Hi. I'm trying to set up a website that registers people for a conference. I'd like to restrict access to the conference registry form to people who have already paid to a PayPal account (i.e., registered). What's the most effective way to do this?
The solution I've come up with so far (I'm not a programmer by profession) is to have PayPal send customers who have paid to a dtml script that sets a cookie value and then redirects the customer to a form viewable only if the cookie has the correct value.
You can also get http_referrer which will either be paypal or the last page. What I do is set the cookie *before* i send them to paypal, then I update an object in the ZODB when they come back from paypal (checking the HTTP_REFERRER). From then on I check the object in the ZODB to see if they've paid, usually keyed on AUTHENTICATED_USER. This still allows someone to construct the right HTTP POST and make it look as if they paid paypal. If you really need to prevent that, you should probably use a session (from Core Session Tracking) that starts right before they get to paypal and expires right after they get back. Stuff all the information into the session tracking object, that way you know they're not making it up- the information was never on their end. This way, the cookie that stores the session id will be unique to that session, and no amount of premeditation will allow them to generate a false page. Hope that helps, -- emf "something witty" mindlace@imeme.net
Doing something like this is really foolish. (sorry I don't mean to offend but Paypal is really insecure. You can post what ever values you want to the site then continue... They can take the form that you use to sends info to paypal, change the cost value and submit that, and the system would not know the difference. There are better options out there offered by banks that are more secure. I know that you will be able to find out who they are when they goto the conference but it is a headache you might want to avoid. If you do want to use Paypal or any of the 50 + processors with 30 + drivers, the company I work for has a fantastic product. OPayC. http://www.opayc.com/ You drop in the code to connect to a driver, if you want a different driver you drop in a different file that we provide. and bam ... new your new credit card processor is up and running. Also if you want advice as to which processors are secure we can help you with that too. Rick At 03:05 AM 6/17/01, you wrote:
--On 06/15/01 16:18:14 -0500 Anthony Monta chiseled:
Hi. I'm trying to set up a website that registers people for a conference. I'd like to restrict access to the conference registry form to people who have already paid to a PayPal account (i.e., registered). What's the most effective way to do this?
The solution I've come up with so far (I'm not a programmer by profession) is to have PayPal send customers who have paid to a dtml script that sets a cookie value and then redirects the customer to a form viewable only if the cookie has the correct value.
You can also get http_referrer which will either be paypal or the last page.
What I do is set the cookie *before* i send them to paypal, then I update an object in the ZODB when they come back from paypal (checking the HTTP_REFERRER). From then on I check the object in the ZODB to see if they've paid, usually keyed on AUTHENTICATED_USER.
This still allows someone to construct the right HTTP POST and make it look as if they paid paypal.
If you really need to prevent that, you should probably use a session (from Core Session Tracking) that starts right before they get to paypal and expires right after they get back. Stuff all the information into the session tracking object, that way you know they're not making it up- the information was never on their end.
This way, the cookie that stores the session id will be unique to that session, and no amount of premeditation will allow them to generate a false page.
Hope that helps, -- emf "something witty" mindlace@imeme.net
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
########################################################## # Rick St Jean, # rstjean@internet.look.ca # President of Design Shark, # http://www.designshark.com/, http://www.phpmailer.com/ # Quick Contact: http://www.designshark.com/messaging.ihtml # Tel: 905-684-2952 ##########################################################
Good idea, it works fine with python. It would not be that hard to integrate with zope. I will mention this. Rick At 05:27 PM 6/17/01, marc lindahl wrote:
From: Rick St Jean <rstjean@internet.look.ca>
If you do want to use Paypal or any of the 50 + processors with 30 + drivers, the company I work for has a fantastic product.
Your company should look into making a Zope Product...
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
########################################################## # Rick St Jean, # rstjean@internet.look.ca # President of Design Shark, # http://www.designshark.com/, http://www.phpmailer.com/ # Quick Contact: http://www.designshark.com/messaging.ihtml # Tel: 905-684-2952 ##########################################################
participants (5)
-
Anthony Monta -
Bill Anderson -
emf -
marc lindahl -
Rick St Jean