PayPal and Updating IPN Script

Hello,

I received an e-mail from PayPal, and I’m wondering if this affects S2M? Thanks!

ACTION REQUIRED
Dear xxxx xxxxxxxxx,

In a bulletin dated October 18, 2011, we announced that we were going to expand the number of IP addresses for http://www.paypal.com to improve our site’s performance, scalability and availability. As part of this transition, we planned to discontinue support for HTTP 1.0 protocol starting February 1, 2013.

We have recently identified that this change may impact the ability of some of our merchants to perform IPN (Instant Payment Notification) post-back validation or PDT (Payment Data Transfer) posts to http://www.paypal.com. This happens when the IPN or PDT scripts use HTTP 1.0 protocol and do not include the “Host: http://www.paypal.com” header in the HTTP request.

Additional Details
Starting February 1, 2013, we will require all incoming requests to have a “Host” header which complies with HTTP 1.1 Specifications. This header was not required under HTTP 1.0. IPN and PDT scripts using HTTP 1.0 may start failing with “HTTP/1.0 400 Bad Request” errors after February 1, 2013, which will result in IPN messages not being validated successfully, or PDT scripts not being able to retrieve transaction information.

Action Required before February 1, 2013
Merchants need to update their IPN and/or PDT scripts to use HTTP 1.1, and include the “Host” header in the IPN postback script.

Example:

ASP
//Set values for the request back
req.Method=”POST”;
req.Host=”‘www.paypal.com'”;
req.ContentType=”application/x-www-form-urlencoded”;

Perl
$req=HTTP::Request->new(‘POST’, ‘https://www.paypal.com/cgi-bin/webscr’);
$req->content_type(‘application/x-www-form-urlencoded’);
$req->header(Host=> ‘www.paypal.com’);

PHP
// post back to PayPal system to validate
$header .=”POST /cgi-bin/webscr HTTP/1.1\r\n”;
$header .=”Content-Type: application/x-www-form-urlencoded\r\n”;
$header .=”Host: ‘www.paypal.com\r\n’;;

Java
HttpsURLConnection uc=(HttpsURLConnection) u.openConnection(); uc.setDoOutput(true);
uc.setRequestProperty(“Content-Type”,”application/x-www-form-urlencoded”); uc.setRequestProperty(“Host”,;’www.paypal.com’;);

The PayPal Sandbox has been configured to reject any HTTP requests without the “Host” header with HTTP 400 error. Merchants can use the Sandbox environment to certify the changes to their IPN and PDT scripts.

For more information on PDT and IPN, please refer to http://www.paypal.com/pdt and http://www.paypal.com/ipn. For additional information or questions about this change, please contact PayPal’s Merchant Technical Support team via https://www.paypal.com/mts.

Sincerely,

PayPal

Hi Andrea,

Thank you for checking on this. To my knowledge, s2Member already sends HTTP/1.1-compliant requests, however I’m going to send the lead developer a message to double-check.

Thank you for your patience.

Hi Andrea,

Thanks for pointing this out

It appears that s2Member will be affected by this change, as the HTTP header is not sent within s2member/includes/classes/paypal-utilities.inc.php (specifically the method paypal_api_response() within this class). As is said within the information you posted:

Additional Details
Starting February 1, 2013, we will require all incoming requests to have a “Host” header which complies with HTTP 1.1 Specifications. This header was not required under HTTP 1.0. IPN and PDT scripts using HTTP 1.0 may start failing with “HTTP/1.0 400 Bad Request” errors after February 1, 2013, which will result in IPN messages not being validated successfully, or PDT scripts not being able to retrieve transaction information.

The HTTP header will need to be passed now to work with HTTP/1.1 specifications. Jason is aware of this and s2Member will be updated before February 1, 2013 to work with these changes.

I have also sent a message to Jason for clarification, if needed, and he may reply here with more information.

Thanks!

Thank you for your replies!

Thanks for the heads up on this.

s2Member’s remote class method will be updated in the next maintenance release in preparation of this coming change on the PayPal side of things. The `httpversion` argument; to wp_remote_request(), will be forced to a version of `1.1` for all API calls that s2Member processes via the WP_Http class.