I have configured no thank you emails to be sent and enabled my own common thank you page as well as notifications URL.
How do I know when displaying my thank you page that this is a real customer who paid? (and not someone who constructed the URL himself). Do I assume that for a purchase, the notifications URL will always be hit first before the customer is redirected to the thank you page?
Apr '10
Apr '10
Someone could not "construct" the URL to your thank you page, the URL to each thank you page is generated when a transaction is completed. Typing in a random string of characters trying to find a page will just get a 404 error.
You can also refer to your transaction log for the information on every transaction that has generated a thank you page.
I have enabled my custom common thank you page, so it resides on my server. Once a transaction is complete, e-junkie does at GET to:
http://www.myurl.com/thankyou?payeremail=xxx&txn_id=yyy&first_name=zzz&last_name=aaa&payment_status=Completed¤cy=USD&c_id=bbb&c_enc=ccc&hash=dddd
Isn't it relatively easy for a user to copy this URL and then keep the hash, and changing the other parameters of the URL?
Other than the hash, how else can I validate this transaction (or is the correct way to check against the information posted to the notifications URL)? Is that what you are referring to as my transaction log?
If someone changed the URL, then it would no longer match up with the information in our system and the thank you page you created would not show transaction information or a download link for the fake transaction as our system would have no data to send.
You can always validate an order by going to your transaction log, but there is no way for someone to make a fake transaction and use the custom thank you page to steal your product.
Maybe I'm phrasing this wrongly or using the wrong terminology.
http://www.myurl.com/thankyou?payeremail=xxx&txn_id=yyy& first_name=zzz&last_name=aaa&payment_status=Completed¤cy=USD& c_id=bbb&c_enc=ccc&hash=dddd
myurl.com is my server, not e-junkie's. If I configured my account to use my custom thank you page, at the end of a transaction, e-junkie will do a GET to this URL, right?
So what I am saying is, if someone else, accesses this URL directly, how am I to validate that it didn't come from e-junkie, and is not a valid transaction. Is it by comparing to the prior notifications post from e-junkie to my server?
The portion of your thank you page that shows the transaction information, and creates a unique download link for the buyer uses the extra information that we send with the URL to add that information to your thank you page.
If someone goes directly to the URL on your site, and places false information for the transaction in the URL, it will not match what is in on our server for your transactions. They will not be able to get a free download this way. The only way someone can get a free download is if you send them one using our Send Free Download Feature.
If a buyer sends the URl of, or a link for, the thank you page to someone, there is not a way to stop that. That is why we allow you, the merchant, to setup a time limit and a set number of download attempts for your product. After those attempts the download link will not work.
