geoffs

I'm in the process of developing my site and I am going to be using paypal to accept payments. I am using paypal website payments standard and having a problem that I do not find either satisfactorily answered/explained on the paypal developer forums but I am hoping someone else here on Surpass has seen this and found the answer for their own development.

Basically, I setup a Buy Now paypal form, but one that is able to accept an aggregate of items. This might be the case (and is the case for my site) when you have a custom cart implementation that accumulates items which are then only sent to paypal when a buyer is ready to checkout. In this situation I only use paypal for their payment receiving capability and not their cart functionality.

My paypal form specifies a return url on payment success. While testing this out in the paypal "sandbox" I find that the entire transaction proceeds without problems until the buyer presses the button to return to my site. At that point I get the ugly and annoying Security Warning dialog from the browser, with the usual message that information is being sent over an unencrypted connection and asking for the user to accept that. The dialog displays twice with an acceptance required each time.

I cannot see a reason for why the transfer from the https page at paypal to my non-https return page should cause the warning. There shouldn't really be a reason why I would have to have ssl on my end since that is one of the major advantages of using paypal.

Any insight into this problem would be greatly appreciated as I do not want to have to have ssl for my site for this seemingly unnecessary situation and I do not want to have my buyers have to see and respond to that dialog.

If it might help, here is the form code being used to interact with the sandbox...

<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_cart" />
<input type="hidden" name="upload" value="1" />
<input type="hidden" name="business" value="somethingsomewhere.com" />
<input type="hidden" name="return" value="http://localhost/buySuccess.php?type=paypal" />
<input type="hidden" name="cancel_return" value="http://localhost/viewCart.php" />
<input type="hidden" name="currency_code" value="USD" />
<input id="paypalCheckoutBtn" type="image" src="images/PayPalCheckout.gif" name="submit" alt="Buy now using paypal..." title="Buy now using paypal..." />

<input type="hidden" name="quantity_1" value="1" />
<input type="hidden" name="item_name_1" value="Item name" />
<input type="hidden" name="amount_1" value="30.00" />
<input type="hidden" name="on0_1" value="Description" />
<input type="hidden" name="os0_1" value="Item Description" />
</form>

__________________
________________________________________
Server: Dev1
www.geoffshapirophotography.com

davotoula

Is that not the browser standard... to alert the user when being redirected from a secure (https) page to a non-secure page (http)?

If this is the case, then PayPal cannot do much about it. You can inform/assure your users that the sensitive information is transferred over secure connection directly to PayPal.

__________________
David Kaspar | SH60

geoffs

Thanks for replying, David.

It might be the browser standard (although I am not totally convinced by this because of the variant behavior I'll explain below) but that also brings up the question as to how other sites get around it.

For example, go to Amazon's home page - it's just an http connection. Then login to your Amazon account (providing you have one). Now you're on a secure connection. Go from your account page back to the home page and you're back to just the http connection. No complaint from the browser even though you went from http to https and back to http.

And then there's this inconsistent behavior... I setup an experiment in which I setup my test paypal sandbox account to Auto-Return to a page on my public site here on Surpass. I used Auto-Return in preference to specifying the success return page in the posted form variables. Placing a test purchase through paypal with this scenario brought up the page I have here on Surpass, on only an http connection, without any warning from the browser.

Ok, so far so good. So with these good results in hand I decided to go back to specifying the return page after a successful purchase in the posted form variables instead of the Auto-Return facility of each paypal merchant account. I setup the form hidden input value to the same page here on Surpass that worked in the above experiment. No dice - returning to it after a purchase made the browser put up the warning messagebox.

From the logs, the only difference between the two GET requests from my browser for the page here on Surpass was in the url being requested for the page:

[no browser warning] ---> "GET /index.php HTTP/1.1"
[browser warning] ---> "GET /index.php?=Return+To+Merchant HTTP/1.1"

So, it seems using the two different methods that the paypal return code formats the url a bit differently and this causes the difference in behavior on the part of the browser?

Other site developers must have coped with this problem before and I'm hoping that someone here who has can provide some insight and solutions.

__________________
________________________________________
Server: Dev1
www.geoffshapirophotography.com