Paypal, http/https, success return page

Well, after that cryptic thread subject I hope I can explain the problem I am having a bit better here!

I’m in the process of developing my site and I am going to be using paypal to accept payments. I am using paypal website payments standard and having a problem that I do not find either satisfactorily answered/explained on the paypal developer forums but I am hoping someone else here on sitepoint has seen this and found the answer for their own development.

Basically, I setup a Buy Now paypal form, but one that is able to accept an aggregate of items. Sending multiple items with one Buy Now button is possible when you have a custom cart implementation that accumulates items which are then only sent to paypal when a buyer is ready to checkout. In this situation I only use paypal for their payment receiving capability and not their cart functionality.

My paypal form specifies a return url on payment success. While testing this out in the paypal “sandbox” I find that the entire transaction proceeds without problems until the buyer presses the button to return to my site. At that point I get the ugly and annoying Security Warning dialog from the browser, with the usual message that information is being sent over an unencrypted connection and asking for the user to accept that. The dialog displays twice in my FF 1.07 browser with an acceptance required each time.

I cannot see a reason for why the transfer from the https page at paypal to my non-https return page should cause the warning. There shouldn’t really be a reason why I would have to have ssl on my end since that is one of the major advantages of using paypal - that I wouldn’t need ssl on my end.

Any insight into this problem would be greatly appreciated as I do not want to have to have ssl for my site for this seemingly unnecessary situation and I do not want to have my buyers have to see and respond to that dialog.

If it might help, here is the form code being used to interact with the sandbox…

<form action=“” method=“post”>
<input type=“hidden” name=“cmd” value=“_cart” />
<input type=“hidden” name=“upload” value=“1” />
<input type=“hidden” name=“business” value="" />
<input type=“hidden” name=“return” value=“http://localhost/buySuccess.php?type=paypal” />
<input type=“hidden” name=“cancel_return” value=“http://localhost/viewCart.php” />
<input type=“hidden” name=“currency_code” value=“USD” />
<input id=“paypalCheckoutBtn” type=“image” src=“images/PayPalCheckout.gif” name=“submit” alt=“Buy now using paypal…” title=“Buy now using paypal…” />

<input type=“hidden” name=“quantity_1” value=“1” />
<input type=“hidden” name=“item_name_1” value=“Item name” />
<input type=“hidden” name=“amount_1” value=“30.00” />
<input type=“hidden” name=“on0_1” value=“Description” />
<input type=“hidden” name=“os0_1” value=“Item Description” />


Hmm, I think that’s a rule that when a secure site goes to another site without https it gives warning. Maybe I’m wrong.

Anyways, you could always just get a $20/year SSL.

  • Tomer