A listener on my website 'listens' for successful purchases made via Paypal. Data retrieved by the listener includes a post variable that I can set before initiating the purchase. This is possible with Paypal's IPN(Instant Payment Notification). I am trying to get the IPN to recognize the users account on my website upon purchase. Every account on my website has a unique user ID number.
I have tried passing the accounts unique ID through Paypal's "Custom" variable so the IPN can listen for that. Though I think this is a bad idea because then people can purchase things for another account if they passed their unique ID. Though this is a guaranteed purchase handler, hackers can take advantage of this with social engineering.
I see that some people instead pass the session_id with php, but this isn't safe because the listener would have no way of recognizing the user's website account if the session_id were to disappear. I also see that people will pass a cookie tied to the user's unique account. I don't think this is a good idea because the cookie could be cleared.
It is to my impression that I can not send a refund or cancel a purchase if the user's account could not be identified(Without doing it manually). What checkout flow should I do?
