Tag Archive for "web-design"

Wikileaks stumbled on to the world stage earlier this year with the release of thousands of internal cables belonging to the US Government. Since then, the story has exploded full force into what could very well be mistaken for a new Tom Clancy novel.

Fallout from Julian Assange’s being taken into custody resulted in the Internet backlash, and highly organized Distributed Denial of Service attacks against corporate entities which chose not to support Wikileaks. As a result, Visa, Mastercard, and Paypal service were all affected.

Has your work been affected by this.

Last week we discovered a recent problem with a site I build by hand. It is a full online catalog with a UPS shipping system and Paypal checkout system. After receiving an email from a purchaser the vendor passed it to the development team to try to discover what happened.

As it turns out, the web server logs show that the two users whom were double billed were:

on the site during the same day
both had tried to check out three or four times

Now, being a bit experienced in transaction-based systems, I developed the back end to expire the page immediately and revert to the home page after a successful sale. This page records the successful paypal result, writes the invoice in both HTML and PDF versions, and notifies the client and vendor of the transaction so that goods may be shipped. This page was designed to ensure that it can only ever display once per successful transaction.

So what went wrong?

Well. Turns out that these transactions took place December 5th. On this day, Paypal was under considerable stress from the Wikileaks related DDOS attack and thus the site was painfully slow. There are two steps during the Paypal Express Checkout procedure which requires the user flipping between the vendor site and the Paypal API system. Two points of failure. My code was designed to kill a session should a user try to refresh a page in such a position as to resend the transaction requests. This should have killed any chance that a duplicate should ever take place right?

Wrong. The problem is that once I send confirmation to the PayPal API, they record the transaction on their side and they DO NOT confirm whether or not they were able to send back final confirmation to the vendor site. This means that although the transaction took place, the vendor site sat waiting for a response so it could generate the invoice and finalize the sale, a response that never came in a timely manner thus prompting the users to re-checkout after a few minutes.

Personally, I would have their API kill the transaction if their success code back to the vendor never reaches its destination… but that’s just me. There really is no way to fix this from our side, however I can add some bells that correlate calls to the API with return codes from the API so as to determine if they are ever odd.