Extra server verification by using IP checking
alanburke - February 2, 2009 - 12:57
| Project: | UC Worldpay |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
Description
Hi
I have a worldpay installation using the Ecommerce package, with the Worldplay module.
Part of the code for checking the response from Worldplay involves checking the IP address to ensure it comes from a Worldplay server [and that it isn't being spoofed].
Perhaps something like that would be useful here too.
<?php
// Run a reverse DNS lookup on the IP Address the callback is coming from and verify it is from Worldpay
$ip = $_SERVER['REMOTE_ADDR'];
$fullhost = gethostbyaddr($ip);
$host = preg_replace("/^[^.]+./", "*.", $fullhost);
if ($host == '*.worldpay.com'){
?>I don't think Worldpay supports shared secrets or similar, so this would at least be an improvement.
I can roll a patch if this is a desired addition.
Regards
Alan
#1
Hi alanburke,
Thanks for your interest in uc_worldpay. I'm really busy right now but I'd be delighted if you would agree to become co-maintainer of this module. You seem to know what you are talking about and I just don't have the time right now to dig into this.
This is my TODO for this module:
- Back button on review order page doesn't work
- Selection of cards for display in checkout is purely superficial
- Difference between Shopper Response Enabled and not. seems like the cancelled (and possibly the authorised) status is dealt with by Worldpay when it's disabled.
- When user cancels the order they get an email with the invoice and the order goes into Pending state
- Add MD5 authentication (needs SSL)
- Add IP checking
- Add other security features supported by Worldpay
#2
Hi, don't know whether this is helpful or not but Worldpay provides the option of setting up a Payment Response password that sounds a bit like a shared secret.. http://www.rbsworldpay.com/support/kb/bg/customisingadvanced/custa6012.html
I've got it working in my setup and could produce a patch if anyone was interested in incorporating into the next release?