PayPal IPN Verification Postback to HTTPS with v1.3.8

[ferid]

I believe that the IPN Postback URL is set within your store's PayPal (not Zen Cart) account. Make sure that the URL starts with https.

I just logged in to my PayPal account and was able to find the following settings:
Notification URL: https://[mysite]/ipn_main_handler.php
Message delivery: Enabled

Or maybe I need to make changes to ipn_main_handler.php?

When I check my PayPal settings in the web shop I find the following setting.
Mode for PayPal web services: www.paypal.com/cgi-bin/webscr
Could this be something?

[moogawooga]

I believe that the IPN Postback URL is set within your store's PayPal (not Zen Cart) account. Make sure that the URL starts with https.

No, the IPN setting in the paypal account is about paypal talking to zencart via https.

The issue at hand is about zencart talking to paypal via https.
In the link from the OP paypal says that
(1) they have provided another endpoint where they want zencart to talk to them - ipnpb.paypal.com
(2) they want zencart to start talking to them via https
(3) after 9/30/2016 they will no longer listen to http even if zencart continues to talk to them there

[moogawooga]

As per this post by mc12345678 issue (2) and (3) in my post above are fixed in version 1.5.5

It's a simple change in the file includes/modules/payment/paypal/paypal_functions.php

Make the following replacement

Code:

    if ($mode == 'IPN') {
      ipn_debug_email('IPN INFO - POST VARS received (sorted):' . "\n" . stripslashes(urldecode(print_r($postdata_array, true))));
      if (sizeof($postdata_array) == 0) die('Nothing to process. Please return to home page.');
    }
    // send received data back to PayPal for validation
    $scheme = 'http://';
    //Parse url
    $web = parse_url($scheme . 'www.paypal.com/cgi-bin/webscr');
    if ((isset($_POST['test_ipn']) && $_POST['test_ipn'] == 1) || MODULE_PAYMENT_PAYPAL_HANDLER == 'sandbox') {
      $web = parse_url($scheme . 'www.sandbox.paypal.com/cgi-bin/webscr');
    }

with

Code:

    if ($mode == 'IPN') {
      ipn_debug_email('IPN INFO - POST VARS received (sorted):' . "\n" . stripslashes(urldecode(print_r($postdata_array, true))));
      if (sizeof($postdata_array) == 0) die('Nothing to process. Please return to home page.');
    }
    // send received data back to PayPal for validation
    $scheme = 'https://';
    //Parse url
    $web = parse_url($scheme . 'www.paypal.com/cgi-bin/webscr');
    if ((isset($_POST['test_ipn']) && $_POST['test_ipn'] == 1) || MODULE_PAYMENT_PAYPAL_HANDLER == 'sandbox') {
      $web = parse_url($scheme . 'www.sandbox.paypal.com/cgi-bin/webscr');
    }

[ferid]

Looks like an easy job. Except in my case my file looks different probably because I am running 138a.

I found the following section.

Code:

**
 * Verify IPN by sending it back to PayPal for confirmation
 */
  function ipn_postback($mode = 'IPN') {
    $info = '';
    $header = '';
    $scheme = 'http://';
    //if (ENABLE_SSL == 'true') $scheme = 'https://';
    //Parse url
    $web = parse_url($scheme . (defined('MODULE_PAYMENT_PAYPAL_HANDLER') ? MODULE_PAYMENT_PAYPAL_HANDLER : 'www.paypal.com/cgi-bin/webscr'));
    if (isset($_POST['test_ipn']) && $_POST['test_ipn'] == 1) {
      $web = parse_url($scheme . 'www.sandbox.paypal.com/cgi-bin/webscr');
    }

Couldn't I just activate the line: //if (ENABLE_SSL == 'true') $scheme = 'https://';
Or just set $scheme to https://

What would be the best course of action?

[ferid]

I havn't made any changes yet and wanted to see where zencart takes me if I place an order.
After I select paypal and confirm the order it takes me to https://www.paypal.com/nl/cgi-bin/webscr.
So it looks like this is ok. Or do I still have to set $scheme to https://?

[mc12345678]

So, to try to explain based on what appears to be happening... The $scheme variable appears to be associated with how the server communicates with paypal, not how the customer interacts with the site. Therefore, the previous suggestion to uncomment the line of code will not fully address the situation as that line ties the site's setup (customer's interaction with the site) to the communication of the site with paypal... So, simply uncommenting that line would only offer https: to paypal if the site also had a SSL and had it active. That though is not necessarily the requirement for that communication.

Regarding the "last" post above, the observation of the url being https: in the browser is the customer communication with paypal which also is outside the loop of the requirement being discussed. The IPN response is between paypal and the site and appearing to be a part of the site communicating to PayPal, not necessarily that PayPal is trying to reach the site (during the data transfer)... Therefore the two (URL in browser and the $scheme) are also separate.

So why is it just now that ZC is going this route in ZC 1.5.5? Well, it would seem that until the change in requirement by PayPal, ZC met the requirements of PayPal and with the upcoming change, it still will. (When the updated version is installed, or the applicable changes are discretely applied.)

Btw, I state the above from a standpoint of review in the last day, not from a position of authority.

[ferid]

Thank you for the clarification.
I will set $scheme variable to https. That should fix it for now.
Will have to see about upgrading Zen-Cart.

[ferid]

I've made the change. Turned on logging in the module settings and placed an order through the web shop (successfully).
Afterwards I was able to find a few log files.
2 of them contain a reference to IPN. I have copied a few lines from ipn_1457695299_IV51.log.

Code:

Mar 11 2016 12:21 -- IPN INFO - POST VARS to be sent back for validation: 
To: ssl://www.paypal.com:443
POST /cgi-bin/webscr HTTP/1.1
Host: www.paypal.com
Content-type: application/x-www-form-urlencoded
Content-length: 101
Connection: close

The second file also contains a few errors ipn_1457695301_EzA7.log

Code:

Mar 11 2016 12:21 -- IPN PROCESSING INITIATED. 
*** Originating IP: 173.0.81.1  notify.paypal.com
*** Browser/User Agent: PayPal IPN ( https://www.paypal.com/ipn )

Mar 11 2016 12:21 -- IPN FATAL ERROR :: Could not find stored session in DB, cannot re-create session as PayPal IPN transaction.

Mar 11 2016 12:21 -- IPN FATAL ERROR :: No saved IPN session data available. Must be an Express Checkout or Direct Pay transaction.

Mar 11 2016 12:21 -- IPN INFO - POST VARS received (sorted):
Array
(

Code:

Mar 11 2016 12:21 -- IPN INFO - Confirmation/Validation response 
SUCCESS

Mar 11 2016 12:21 -- Breakpoint: 1 - Collected data from PayPal notification

Mar 11 2016 12:21 -- IPN INFO :: Transaction email details.

Mar 11 2016 12:21 -- Breakpoint: 2 - Validated transaction components

Mar 11 2016 12:21 -- Breakpoint: 3 - Communication method verified

Mar 11 2016 12:21 -- Breakpoint: 4 - Details:  txn_type=unknown    ordersID = 0  IPN_id=0

   Relevant data from POST:
     txn_type = unknown
     parent_txn_id = None
     txn_id = xxxxxxxx (deleted by me)

Mar 11 2016 12:21 -- Breakpoint: 5 - Transaction type (txn_type) = unknown

Mar 11 2016 12:21 -- IPN WARNING :: Could not process for txn type: unknown
 postdata=transaction_subject=

[mc12345678]

This line:

ssl://www.paypal.com:443

Looks unusual... It seems like it should be:

https://www.paypal.com:443

So not sure where that came from. Further, it is my understanding that because paypal is a module not just some randoom code that over time as paypal has changed other requirements that a more up-to-date version of the paypal payment module needs to be used than the version supplied with ZC 1.3.8...

Fyi, the upgrade? Not sure if I posted it, but suggested path would be: http://www.zen-cart.com/entry.php?3-...d-of-upgrading

Really hoping that someone more involved with the project and specifically paypal portion comes across this and provides. Some more input. :/

[DrByte]

it is my understanding that because paypal is a module not just some randoom code that over time as paypal has changed other requirements that a more up-to-date version of the paypal payment module needs to be used than the version supplied with ZC 1.3.8...

Yes, and more than that: v1.3.8 had a lot of critical security flaws. A lot has been changed and improved and vastly altered since v138 was released back in 2007 ... almost a decade ago.