Handling callback security with contrib ecommerce payment modules..

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
Dublin Drupaller's picture

Hi guys,

I recently updated the worldpay.module for 4.7 and included an automated "callback" after the order is processed...i.e. the worldpay server tells the drupal site that the transaction was either APPROVED or CANCELLED (Denied happens at the worldpay end and the order is cancelled).

So a Drupal site admin who is setting up their worldpay enabled shop, enters in the worldpay_callback the worldpay server sends the "y" or "c" flags to. The problem is securing that transfer of information or in other words, validating the source.

What I came up with is a simple security check into the module. Worldpay don't give out their IP addresses, so I added in a reverse DNS look up to see if the worldpay_callback is really coming from the Worldpay server.

So I'm wondering what other ecommerce developers have used for that stage of order confirmation.

Cheers

Dub

e-Commerce Module

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: