[Zope] Newbie: PayPal and Zope

emf mindlace@imeme.net
Sun, 17 Jun 2001 03:05:35 -0400


--On 06/15/01 16:18:14 -0500 Anthony Monta chiseled:

> Hi. I'm trying to set up a website that registers people for a
> conference.  I'd like to restrict access to the conference registry form
> to people who  have already paid to a PayPal account (i.e., registered).
> What's the most  effective way to do this?
>
> The solution I've come up with so far (I'm not a programmer by
> profession)  is to have PayPal send customers who have paid to a dtml
> script that sets a  cookie value and then redirects the customer to a
> form viewable only if the  cookie has the correct value.

You can also get http_referrer which will either be paypal or the last page.

What I do is set the cookie *before* i send them to paypal, then I update 
an object in the ZODB when they come back from paypal (checking the 
HTTP_REFERRER). From then on I check the object in the ZODB to see if 
they've paid, usually keyed on AUTHENTICATED_USER.

This still allows someone to construct the right HTTP POST and make it look 
as if they paid paypal.

If you really need to prevent that, you should probably use a session (from 
Core Session Tracking) that starts right before they get to paypal and 
expires right after they get back. Stuff all the information into the 
session tracking object, that way you know they're not making it up- the 
information was never on their end.

This way, the cookie that stores the session id will be unique to that 
session, and no amount of premeditation will allow them to generate a false 
page.

Hope that helps,
--
emf
"something witty"
mindlace@imeme.net