Hello,
I am trying to confirm a payment via a success url that the gateway redirects to, and as such I don’t want the url path to remain constant in order to prevent the user typing it into the address bar. How would I generate a new path each time? If this is not possible, how can I verify that the user has indeed made the payment and not just entered the url into the address bar?
I am using https://payu.in/payment-solutions/payment-buttons for payments. The payment button can accept a success url as a parameter to redirect the user to after a successful transaction.
I don’t know what the “best” way to do this would be, but if I had to implement something like this, what I would do is generate something like a GUID upon the completion of a payment, and store that GUID somewhere.
My path might then be something like payment/confirmation/<str:guid>/, accepting the guid as a parameter in the view. The view can then verify the guid to the order being placed, confirmed, referenced, whatever.
Not sure if you’ve gone through the link I sent about the payment button @KenWhitesell, the main problem for me is that the payment happens outside my website, and all that happens with regards to my site upon a successful transaction is a redirect to a previously specified URL, so I’m not really sure how creating a GUID upon going to that URL would help, since once more the user can simply type it into the address bar.
You wrote:
So, when the user is making the order on your site, you generate a new GUID. You then pass the url + GUID as the success URL parameter. On the server side, you should be receiving something from the payment processor saying that the transaction was successful.
As a side note, if there’s a url of any kind being sent to the user’s page, you have absolutely no way to prevent them from finding that URL and entering it into the address bar. That means that logically, you must be receiving something from that processor directly allowing to you verify that the transaction was successful. That means that it’s up to you to check whether or not any particular user is allowed to visit that url.
All I receive on this front is an email.
By success URL, I meant a URL that the gateway redirects the user to after coming from the payment gateway’s domain.
If the payment processor’s only contact to you regarding a successful transaction is via email, that’s a payment processor that I would run away from, very, very fast.
Both payment processors I’ve worked with in the past give you an API that you can call to verify the status of any specific transaction. There is no way I would trust my business to any organization that doesn’t do at least that much.
The actual developer API does indeed have that. The issue is their django payment API is very old, and no longer supported, and that’s why I had to turn to using these ‘payment buttons’ which require just a line of HTML, and no server side code. This gateway is ideal for me due to the options it supports for payments.
Ok, that’s a different issue then.
If they’re using any kind of standard web service interface for their API (XML or JSON), it’s probably not all that difficult to reimplement it yourself. You could probably use their API as a starting point and build it from there.
(Or, if you really wanted to go a different route, you could write a Django module to monitor an email inbox and process the responses you get. That’s always fun…)
This is something I have actually considered @KenWhitesell, and was on the verge of implementing, but the main issue with this is that if two people pay me at the exact same time, I will have to ask them to re-enter the number entered on the citrus pay page after coming back to my site(not a great idea).