PayPal IPN Verification Postback to HTTPS with v1.3.8

[lat9]

Any idea what I can do to fix my issue with PayPal? How could it change the IPN Verification Postback to HTTPS?

I believe that the IPN Postback URL is set within your store's PayPal (not Zen Cart) account. Make sure that the URL starts with https.

[ferid]

I believe that the IPN Postback URL is set within your store's PayPal (not Zen Cart) account. Make sure that the URL starts with https.

I just logged in to my PayPal account and was able to find the following settings:
Notification URL: https://[mysite]/ipn_main_handler.php
Message delivery: Enabled

Or maybe I need to make changes to ipn_main_handler.php?

When I check my PayPal settings in the web shop I find the following setting.
Mode for PayPal web services: www.paypal.com/cgi-bin/webscr
Could this be something?

[moogawooga]

I believe that the IPN Postback URL is set within your store's PayPal (not Zen Cart) account. Make sure that the URL starts with https.

No, the IPN setting in the paypal account is about paypal talking to zencart via https.

The issue at hand is about zencart talking to paypal via https.
In the link from the OP paypal says that
(1) they have provided another endpoint where they want zencart to talk to them - ipnpb.paypal.com
(2) they want zencart to start talking to them via https
(3) after 9/30/2016 they will no longer listen to http even if zencart continues to talk to them there

[moogawooga]

As per this post by mc12345678 issue (2) and (3) in my post above are fixed in version 1.5.5

It's a simple change in the file includes/modules/payment/paypal/paypal_functions.php

Make the following replacement

Code:

    if ($mode == 'IPN') {
      ipn_debug_email('IPN INFO - POST VARS received (sorted):' . "\n" . stripslashes(urldecode(print_r($postdata_array, true))));
      if (sizeof($postdata_array) == 0) die('Nothing to process. Please return to home page.');
    }
    // send received data back to PayPal for validation
    $scheme = 'http://';
    //Parse url
    $web = parse_url($scheme . 'www.paypal.com/cgi-bin/webscr');
    if ((isset($_POST['test_ipn']) && $_POST['test_ipn'] == 1) || MODULE_PAYMENT_PAYPAL_HANDLER == 'sandbox') {
      $web = parse_url($scheme . 'www.sandbox.paypal.com/cgi-bin/webscr');
    }

with

Code:

    if ($mode == 'IPN') {
      ipn_debug_email('IPN INFO - POST VARS received (sorted):' . "\n" . stripslashes(urldecode(print_r($postdata_array, true))));
      if (sizeof($postdata_array) == 0) die('Nothing to process. Please return to home page.');
    }
    // send received data back to PayPal for validation
    $scheme = 'https://';
    //Parse url
    $web = parse_url($scheme . 'www.paypal.com/cgi-bin/webscr');
    if ((isset($_POST['test_ipn']) && $_POST['test_ipn'] == 1) || MODULE_PAYMENT_PAYPAL_HANDLER == 'sandbox') {
      $web = parse_url($scheme . 'www.sandbox.paypal.com/cgi-bin/webscr');
    }

[ferid]

Looks like an easy job. Except in my case my file looks different probably because I am running 138a.

I found the following section.

Code:

**
 * Verify IPN by sending it back to PayPal for confirmation
 */
  function ipn_postback($mode = 'IPN') {
    $info = '';
    $header = '';
    $scheme = 'http://';
    //if (ENABLE_SSL == 'true') $scheme = 'https://';
    //Parse url
    $web = parse_url($scheme . (defined('MODULE_PAYMENT_PAYPAL_HANDLER') ? MODULE_PAYMENT_PAYPAL_HANDLER : 'www.paypal.com/cgi-bin/webscr'));
    if (isset($_POST['test_ipn']) && $_POST['test_ipn'] == 1) {
      $web = parse_url($scheme . 'www.sandbox.paypal.com/cgi-bin/webscr');
    }

Couldn't I just activate the line: //if (ENABLE_SSL == 'true') $scheme = 'https://';
Or just set $scheme to https://

What would be the best course of action?

[ferid]

I havn't made any changes yet and wanted to see where zencart takes me if I place an order.
After I select paypal and confirm the order it takes me to https://www.paypal.com/nl/cgi-bin/webscr.
So it looks like this is ok. Or do I still have to set $scheme to https://?

[mc12345678]

So, to try to explain based on what appears to be happening... The $scheme variable appears to be associated with how the server communicates with paypal, not how the customer interacts with the site. Therefore, the previous suggestion to uncomment the line of code will not fully address the situation as that line ties the site's setup (customer's interaction with the site) to the communication of the site with paypal... So, simply uncommenting that line would only offer https: to paypal if the site also had a SSL and had it active. That though is not necessarily the requirement for that communication.

Regarding the "last" post above, the observation of the url being https: in the browser is the customer communication with paypal which also is outside the loop of the requirement being discussed. The IPN response is between paypal and the site and appearing to be a part of the site communicating to PayPal, not necessarily that PayPal is trying to reach the site (during the data transfer)... Therefore the two (URL in browser and the $scheme) are also separate.

So why is it just now that ZC is going this route in ZC 1.5.5? Well, it would seem that until the change in requirement by PayPal, ZC met the requirements of PayPal and with the upcoming change, it still will. (When the updated version is installed, or the applicable changes are discretely applied.)

Btw, I state the above from a standpoint of review in the last day, not from a position of authority.

[ferid]

Thank you for the clarification.
I will set $scheme variable to https. That should fix it for now.
Will have to see about upgrading Zen-Cart.