This page provides a brief description of some of the principles and concepts behind the application which incorporates the PayPal IPN subscription system.
Instant Payment Notification (IPN) is the method that PayPal uses to automatically notify a defined web page when a PayPal payment has been made. For a complete description refer to the IPN Manual which you can find on the http://www.paypal.com/ipn site.
The principle that PayPal uses is as follows : You first create a PayPal button and place it on your web page or create the buttons dynamically from a database. When someone clicks on your button, PayPal posts data to the web page you defined during IPN set up. Your web page must then respond back to the paypal site.
After PayPal has confirmed the payment, it posts data back to your web page. If payment is correctly completed, PayPal sends 'completed' to your web page along with other data which your site can monitor. Once completed has been received by your web page, you process the data in whatever way you want.
PHP-SecureArea takes the data from PayPal, carries out security checks to make sure the details are correct, then emails the purchaser with a username / password, all without any intervention by yourself. The purchaser is then able to login to the secure area for a time period defined for that purchase.
Purchasing of an item is controlled by the PayPal IPN system. Only when the confirmed message is received from PayPal will the application process the purchase. There are a number of checks within the application to prevent attempts to spoof a purchase. These include checking the purchased price and currency, and checking the PayPal transaction id to make sure that it has not be used before.
You first set up the protected areas in the admin pages. So when you create a secure area name called 'protected1' which points to the protected1 folder, it modifies the htaccess file in the protected1 folder to point to an htpasswd file called htpasswd_1 where 1 is the alias record id. At the same time it creates a htpasswd file called htpasswd_1 in the htpasswd folder.
In fact there may be a number of htpasswd files, one for each secure area.
When a customer makes a purchase, the username is added to tblusers. At the same time it modifies htpasswd_1 with the correct username:password.
The password is automatically created by the system using a random character generator. The purchaser will receive an email which contains their password.
As soon as the user has received the password, they may log into their secure area for the time duration as defined by the subscription.
The purchaser may also log into a customer area, where they can see their particular details, listing their subscriptions. They may also change their password.
After the subscription has finished, or the customer cancels the subscription, the username / password is removed from the htpwasswd files so preventing the user accessing that secure area.