New PayPal IPN requirements

PayPal has recently informed customers using PayPal standard that Instant Payment Notification may not work staring February 1, 2013. See explanation below. They have supplied the following PHP code as a remedy:

// post back to PayPal system to validate
$header .="POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .="Content-Type: application/x-www-form-urlencoded\r\n";
$header .="Host: www.paypal.com\r\n";
$header .="Connection: close\r\n";

On what page would I paste this code and what code needs to be deleted?

Thank you,

David

We have recently identified that this change may impact the ability of some of our merchants to perform IPN (Instant Payment Notification) post-back validation or PDT (Payment Data Transfer) posts to www.paypal.com. This happens when the IPN or PDT scripts use HTTP 1.0 protocol and do not include the “Host: www.paypal.com” header in the HTTP request.

Additional Details
Starting February 1, 2013, we will require all incoming requests to have a “Host” header which complies with HTTP 1.1 specifications. This header was not required under HTTP 1.0. IPN and PDT scripts using HTTP 1.0 may start failing with “HTTP/1.1 400 Bad Request” errors after February 1, 2013, which will result in IPN messages not being validated successfully, or PDT scripts not being able to retrieve transaction information.

Action Required before February 1, 2013
Merchants need to update their IPN and/or PDT scripts to use HTTP 1.1, and include the "Host: www.paypal.com" and "Connection: close" HTTP headers in the IPN and PDT scripts.

For examples, please refer to 320404.

The PayPal Sandbox has been configured to reject any HTTP requests without the “Host” header with a HTTP 400 error. Merchants can use the Sandbox environment to certify the changes to their IPN and PDT scripts.

For more information on PDT and IPN, please refer to pdt and ipn. For additional information or questions about this change, please contact PayPal's Merchant Technical Support team via mts.

you will need to update the WA_eCart/WA_eCart_Definition_PHP.php file, and change:

$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";

  $header .= "Content-Type: application/x-www-form-urlencoded\r\n";

to:

$header = "POST /cgi-bin/webscr HTTP/1.1\r\n";

  $header .= "Content-Type: application/x-www-form-urlencoded\r\n";

  $header .= "Host: www.paypal.com\r\n";

Thanks for the quick reply. This addressed the Paypal issue, but what about the USPS issue?

Thanks,

??? need more information.

Here is what they sent:

Web Tools Customer,

USPS will release updates to the Web Tools APIs on 28 July 2013. The staging environment is currently open for testing your updated applications. You may review staging information and the release notes at the USPS Web Tools site here for more details. https://www.usps.com/business/web-tools-apis/welcome.htm

If you rely upon a third-party developer (e.g. software or ecommerce/cart provider) for USPS products and services on your website or your shipping application, please direct any application-specific questions to them.

For questions and concerns, please contact our customer support at 1-800-344-7779 or uspstechsupport@esecurecare.net.

Regards,
Web Tools Program Office

I dont see anything in the message that will effect the rate lookup service used by eCart.

My client keeps sending me paypal's notices. Copied below. Since his powerstore has not seen any problems, can I assume that this didn't affect them or am I misunderstanding the dates?


In a bulletin dated October 18, 2011, we announced that we were going to expand the number of IP addresses for www.paypal.com to improve our site’s performance, scalability and availability. As part of this transition, we planned to discontinue support for HTTP 1.0 protocol starting October 7, 2013.

We have recently identified that this change may impact the ability of some of our merchants to perform IPN (Instant Payment Notification) post-back validation or PDT (Payment Data Transfer) posts to www.paypal.com and ipnpb.paypal.com. This happens when the IPN or PDT scripts use HTTP 1.0 protocol and do not include the “Host: www.paypal.com” or “Host: ipnpb.paypal.com” header in the HTTP request.

Additional Details
Starting October 7, 2013, we will require all incoming requests to have a “Host” header which complies with HTTP 1.1 Specifications. This header was not required under HTTP 1.0. IPN and PDT scripts using HTTP 1.0 may start failing with “HTTP/1.0 400 Bad Request” errors after October 7, 2013, which will result in IPN messages not being validated successfully, or PDT scripts not being able to retrieve transaction information.

Action Required before October 7, 2013
Merchants need to update their IPN and/or PDT scripts to use HTTP 1.1, and include the “Host” and “Connection: close” HTTP header in the IPN postback script.

Example with Host as www.paypal.com (please make necessary changes if you are using ipnpb.paypal.com):

ASP
//Set values for the request back
req.Method="POST";
req.Host="'www.paypal.com'";
req.ContentType="application/x-www-form-urlencoded";

Perl
$req=HTTP::Request->new('POST', ' https://www.paypal.com/cgi-bin/webscr%27) ;
$req->content_type('application/x-www-form-urlencoded');
$req->header(Host=> 'www.paypal.com');
$req->header(Connection => 'close');
PHP
// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.1rn";
$header .= "Content-Type: application/x-www-form-urlencodedrn";
$header .= "Host: www.paypal.comrn";
$header .= "Connection: closernrn";

Java
HttpsURLConnection uc=(HttpsURLConnection) u.openConnection();
uc.setDoOutput(true);
uc.setRequestProperty("Content-Type","application/x-www-form-urlencoded");
uc.setRequestProperty("Host", "www.paypal.com");
uc.setRequestProperty("Connection", "Close");

The PayPal Sandbox has been configured to reject any HTTP requests without the “Host” header with HTTP 400 error. Merchants can use the Sandbox environment to certify the changes to their IPN and PDT scripts.

For more information on PDT and IPN, please refer to http://www.paypal.com/pdt and http://www.paypal.com/ipn. For additional information or questions about this change, please contact PayPal's Merchant Technical Support team via https://www.paypal.com/mts.

Sincerely,

PayPal

This is only an issue for people using paypal standard and IPN, and it has already been addressed in eCart and the latest version of Powerstore doesn't support Paypal standard since Express Checkout only is available in its place.

This shouldn't be a concern for most customers. If you are using IPN and think this does apply to you, then you should just have to update the: WA_eCart/WA_eCart_Definition_PHP.php to the latest version and it will be fixed.

Thank you for the clarification.