Reputation: 3467
PayPal REST API cancel URL called after payment executed
I have a strange problem, I'm trying to figure out.
I'm using PHP and REST API.
This is the scenario:
1) Users press the checkout button
2) Payment is approved
3) Payment is executed
4) User is redirected to the completed purchase page
5) Few seconds later, Cancel URL of the transaction is called (like when users clicks on Cancel and return to merchant button, instead of approving the payment).
Out of about 100 transactions I had 3 wich manifested this way on all 3 the payment was actually made, and the funds where available. I have checked the server access log files and 2 of them were using ios 9.3.1 and one was an ios 9.2.1. How is this possible?
My guess is that they somehow hit the back button and then the cancel button, can this be the case?
My cancel URL contains a script which sets the order status to canceled, should I adjust the script to only set the status to canceled if the order wasn't previously executed.
Can anybody still cancel the payment AFTER I have executed the payment?
Upvotes: 4
Views: 1360
Answers (3)
Reputation: 1639
This is an old question but having built a PayPal integration myself I thought I'd add some info about why it happens.
If the user ends up on your "return" page after completing their payment and hits the back button, they'll get a PayPal page like this:
If they click "Return to merchant", they'll be sent to your /cancel URL. So if you get one of these and the payment has already gone through, you can show them the payment confirmation page.
Upvotes: 1
Reputation: 930
Your issue seems to be similar to the question posted here.
From user2090027's response which was marked as answer
"We can overcome this by checking/maintaining the no of responses which we get after the payments are made on paypal.
We can maintain this using cookies on client end or on server using sessions or something else similar."
Hope this helps.
Upvotes: 1
Reputation: 11628
I think you should "trust" the IPN message sent by PayPal rather than the ok/cancel return url.
https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNIntro/
The ok/cancel url should only be used to display the information to the user
Let PayPal know your IPN endpoint (the script which will receive the IPN GET/POST message). Once your script get called, update the database accordingly
Doing this way the user would not be able to screw up the transaction, you are guarantee to receive 1 IPN message, either it is an "transaction ok" or a "transaction error" message
Upvotes: 2
Related Questions
- Use of PUT vs PATCH methods in REST API real life scenarios
- PayPal REST API: Fulfill Order/Payment on Redirect URL or on Webhook call?
- paypal rest sdk - cancel a payment gives only token
- Payment completed "return to merchant" using cancel url
- PayPal\Api\Payment - getState()
- Did paypal change meaning of cancel url? Or is it a bug?