cancel
Showing results for 
Search instead for 
Did you mean: 

Virtual Terminal not calculating the MD5 Hash the same as API calls

I'm having trouble figuring out how AuthNet calculates the MD5 hash for virtual terminal transactions - it appears to use a different formula.

 

In the trace output below I captured debug information on the silent post notifications for an API call and a virtual terminal silent post.   The API call hash matches my calculated hash.   The virtual terminal hash does not.

 

 (The api login id and hash value have been substituted with xxxxyyyy in this post for security)

Does anyone know how to calculate a hash that will match the hash in the silent post from the virtual terminal?


------------- API Transaction --------------------
+++ Wed, 31 Mar 2010 12:45:27 -0700 : 1270064727 : +++
TRACE:Payment Notification received.
+++ Wed, 31 Mar 2010 12:45:27 -0700 : 1270064727 : +++
TRACE:Post value:
+++ Wed, 31 Mar 2010 12:45:27 -0700 : 1270064727 : +++
TRACE:&x_response_code=1&x_response_subcode=1&x_response_reason_code=1&x_response_reason_text=This+transaction+has+been+approved.&x_auth_code=P08Qg7&x_avs_code=Y&x_trans_id=2152638885&x_invoice_num=&x_description=Payment&x_amount=1.45&x_method=CC&x_type=auth_capture&x_cust_id=&x_first_name=Tom&x_last_name=Brennan&x_company=&x_address=321+Oak+Drive&x_city=San+Antonio&x_state=TX&x_zip=78209&x_country=US&x_phone=&x_fax=&x_email=&x_ship_to_first_name=Tom&x_ship_to_last_name=Brennan&x_ship_to_company=&x_ship_to_address=321+Oak+Drive&x_ship_to_city=San+Antonio&x_ship_to_state=TX&x_ship_to_zip=78209&x_ship_to_country=US&x_tax=0.0000&x_duty=0.0000&x_freight=0.0000&x_tax_exempt=FALSE&x_po_num=&x_md5_hash=405C6D2E35C83263ECD2B8E1242200D4&x_cvv2_resp_code=P&x_cavv_response=2&x_test_request=false&paymentx_id=a008000000EQUcLAAX
+++ Wed, 31 Mar 2010 12:45:27 -0700 : 1270064727 : +++
TRACE:Hash Received:405C6D2E35C83263ECD2B8E1242200D4
+++ Wed, 31 Mar 2010 12:45:27 -0700 : 1270064727 : +++
TRACE:Transaction Id:2152638885
+++ Wed, 31 Mar 2010 12:45:27 -0700 : 1270064727 : +++
TRACE:Transaction Amount:1.45
+++ Wed, 31 Mar 2010 12:45:27 -0700 : 1270064727 : +++
TRACE:Pre-Hash String:xxxxyyyy21526388851.45
+++ Wed, 31 Mar 2010 12:45:27 -0700 : 1270064727 : +++
TRACE:Hash String Expected:405C6D2E35C83263ECD2B8E1242200D4
+++ Wed, 31 Mar 2010 13:00:01 -0700 : 1270065601 : +++

---------- Virtual Terminal Transaction ---------------------
TRACE:Payment Notification received.
+++ Wed, 31 Mar 2010 13:00:01 -0700 : 1270065601 : +++
TRACE:Post value:
+++ Wed, 31 Mar 2010 13:00:01 -0700 : 1270065601 : +++
TRACE:&x_response_code=1&x_response_subcode=1&x_response_reason_code=1&x_response_reason_text=This+transaction+has+been+approved.&x_auth_code=Qdkndb&x_avs_code=Y&x_trans_id=2152639014&x_invoice_num=123&x_description=Testing&x_amount=13.31&x_method=CC&x_type=auth_capture&x_cust_id=&x_first_name=Judy&x_last_name=Test&x_company=&x_address=123+Ash&x_city=Encinitas&x_state=CA&x_zip=92024&x_country=US&x_phone=760-555-1212&x_fax=&x_email=judy%40test.com&x_ship_to_first_name=Judy&x_ship_to_last_name=Test&x_ship_to_company=&x_ship_to_address=123+Ash&x_ship_to_city=Encinitas&x_ship_to_state=CA&x_ship_to_zip=92024&x_ship_to_country=US&x_tax=0.0000&x_duty=0.0000&x_freight=0.0000&x_tax_exempt=FALSE&x_po_num=&x_md5_hash=7DA75240BCFA58F7B002CD3456A4E72A&x_cavv_response=2&x_test_request=false&page=terminal&sub=send&paymentmethod=ChargeCC&txntype=AUTH_CAPTURE&echecktype=&x_copy_bill=1
+++ Wed, 31 Mar 2010 13:00:01 -0700 : 1270065601 : +++
TRACE:Hash Received:7DA75240BCFA58F7B002CD3456A4E72A
+++ Wed, 31 Mar 2010 13:00:01 -0700 : 1270065601 : +++
TRACE:Transaction Id:2152639014
+++ Wed, 31 Mar 2010 13:00:01 -0700 : 1270065601 : +++
TRACE:Transaction Amount:13.31
+++ Wed, 31 Mar 2010 13:00:01 -0700 : 1270065601 : +++
TRACE:Pre-Hash String:xxxxyyyy215263901413.31
+++ Wed, 31 Mar 2010 13:00:01 -0700 : 1270065601 : +++
TRACE:Hash String Expected:2F2F3C45E56FFF5DACBF504F7871493C

The code creating this output:

    trace('Hash Received:'.$_POST['x_MD5_Hash']);
    trace('Transaction Id:'.$_POST['x_trans_id']);
    trace('Transaction Amount:'.$_POST['x_amount']);
    $hashCalcString = $authnet_hash_value.$authnet_login_id.$_POST['x_trans_id'].$_POST['x_amount'];
    $hashCalculated = md5($hashCalcString);

    trace('Pre-Hash String:'.$hashCalcString);
    trace('Hash String Expected:'.strtoupper($hashCalculated));
    
    ....

-------------------------------------------------
Ron
Linvio, Inc.
Salesforce.com/Authnet Integration
linvio
Contributor
Contributor
5 REPLIES 5

Good Morning Ron,

 

Just wanted to let you know I'm looking into this issue. Will post my findings after performing a few tests.

 

Thanks~

soundcommerce
Trusted Contributor
Trusted Contributor

Have you found resolution on this issue yet please? I'm still investigating . . .

 

Thanks!

Ron,

 

If I may ask, what is the purpose of finding out how the virtual terminal generates/validates the md5hash? The md5hash feature is used as an additional security parameter for transactions originating outside the Authorize.Net network.

 

Authorize.Net  (itself) would not have to validate/verify it's own md5hash for virtual terminal transactions. Just need a big picture overview please?

 

Thanks!

soundcommerce
Trusted Contributor
Trusted Contributor

I ask, because the MD5 hash check that we're performing on silent posts is working for all payments except those processed throught the virtual terminal.

 

This being the case, it seems reasonable to assume that AuthNet is not calculating the value in the same way.

 

[ This particular issue languished in the AuthNet support queue for months before I simply gave up ... I could reproduce the issue, but couldn't get AuthNet to look at it ]

 

Cheers,

Ron

-------------------------------------------------
Ron
Linvio, Inc.
Salesforce.com/Authnet Integration

Did not want to resurect an old thread, but I have the exact same question.

 

I'm getting updates from the virtual terminal through a Response url, and the Md5 as presented in the $POST['x_MD5_Hash'] field is not computed in any of the described methods. I have asked authorize.net to clarify the way this is to be computed, but they just send you off to the forum.

 

I do need to know this so I can verify that what came posted is verified.

 

Thanks