Answer the question
In order to leave comments, you need to log in
Online checkout API: Is it possible to check the sender's IP when confirming a payment (IPN type) instead of checking the signature of the request?
Upon successful payment, the "online checkout" server itself usually sends an HTTP request to the specified (in the Personal Account or directly upon request) confirmation address on the store's website, and the user is redirected to another URL that simply contains a message about successful payment.
There is some risk that users will find this address and hack the system, confirming payments in the store, bypassing the acquiring "cash desk", perhaps even sharing this "loophole" with others.
Therefore, in that script, before inserting into the database (for the actual confirmation), some kind of verification is highly desirable, the most correct options are:
1) checking the "signature" of the request, Tinkoff calls it "token", etc. Compile it according to a certain algorithm from the available data,
2) verification of the sender
's IP - the real IP of the "cash desk" servers is in the public domain, in the API documentation .
But is it worth believing?
Have there been precedents for IPs to change over time?
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question