cancel
Showing results for 
Search instead for 
Did you mean: 

SIM design for handling relay response timeouts

I have previously implemented AIM (in a .Net environment) and used the following process on a web site:

1. User selects items into shopping cart
2. User requests checkout
3. User fills out credit card and billing/shipping information and submits
4. System sends WebRequest to Authorize.Net to charge credit card and gets response back
5. If response is successful
     system creates an order in the database
     system sends email to user with order information
   else
     system shows the error returned by Authorize.Net to the user
     user can choose to fix error and re-submit the order

 

Of particular note in this process is that an order is not created until the credit card is charged.  This prevents orders being created that are abandoned and never get charged.

 

I now have to implement SIM for a merchant and see the process needs to change. I plan on using the

relay reponse feature.   I have created a test application and undertand the technical requirements for this solution.  I have also reviewed the threads involving SIM and have not seen this question asked.

 

It seems the process has to create an order in the database prior to posting to the Authorize.Net

hosted payment form. 

 

If I wait to create an order until the relay response is received, and if the relay response times

out, the credit card would be charged in Authorize.Net but no order would exist in the merchant's

system.

 

The process I am considering is:

1. User selects items into shopping cart
2. User requests checkout
3. System creates an order in the database with a 'pending payment' status
4. System posts the html form to Authorize.Net and the Hosted Payment Form shows on Authorize.Net
5. User fills out credit card and billing/shipping data on hosted payment form and submits

6. If Authorize.Net validations pass
      Authorize.Net charges credit card
      Authorize.Net sends relay response to Merchant URL with success code
   else
      Authorize.Net sends relay response to Merchant URL with error code

 

7. If the relay response does not time out
      Merchant system relay response page processes response
      Successful transactions have order updated (status = 'paid') and emails sent to user
      Failed transactions show an error to the user and allow the user to re-submit
   else
      Merchant system relay response page is not executed and
        the order is left in 'pending payment' status
      Authorize.Net sends timeout email to Merchant contact
      Merchant contact researches transaction and goes into merchant system to
        update order to 'paid' via some custom developed utility.


I don't like this solution as it
(a) can potentially create 'pending payment' orders in the merchant system that never get paid if the

user chooses not to complete the credit card process on the Authorize.Net hosted payment form. These

'orphaned' orders will need to be deleted.
(b) requires merchant user interaction to recover from a paid transaction that times out on the relay

response

 

Does anyone have a process design for SIM that avoids these issues yet handles the relay response timeout problem?

 

Thank you in advance for your time reading this and offering suggestions.
     
   

pbloom
Member
8 REPLIES 8

As I see that no one responded to your post I am curious how you solved this problem. I am currently writing a solution where the order is not created in the database until the customer credit card is successfully debited and then silent post is my method of returning order data to my server.

pathfinder
Contributor

I have the same setup as you pbloom. We used to use AIM which gives you instant feedback and since you are the one making the call to the Auth.Net you know that the response is coming is valid.

 

I have an open question to the forum, which I hope gets answered soon. The question is how do we know that the relay response is actually coming from Auth.Net and not someone spoofing their callback. To me this seems like a huge security hole, but that might just be because I don't have the answer yet.

 

Anyway I think the setup you have is the best possible one. The reason we went with it was to deal with session timeouts from our application while the user was at the Auth.Net form.

SDeleon
Member

I have not implemented this verification in my script yet but I believe the verification for the transaction is in the form of x_MD5_Hash
The payment gateway generated MD5 hash value that can be used to authenticate the transaction response. (pg. 54 in the SIM_guide.pdf)

 

Also read this thread

 

http://community.developer.authorize.net/t5/Integration-and-Testing/Getting-Relay-Response-MD5-verif...

hey pathfinder,

 

I realized this was where my wires were getting crossed. I thought that the hash passed back on the relay response was the same as the one I had sent in the payment form request.

Ya, I crossed the same wires.  Let us know if you get x_MD5_Hash working for you and I am interested if the code in that thread works.

I was able to get the MD5 hash setup. I would have saved myself a day's worth of headaches if I had read the doc correctly.

Been there, done that.  Did you use the code from the thread above?  Of if not will you post your code?  Same me and others from the same headaches.

Hello pbloom,

 

I know this post is almost 4 years old but have you found a better work around for recovering from SIM relay response timeouts? I was thinking of implementing something similar but was hopping there would be a better approach.

 

Thanks,

 

niroshan
Member