According to the Google Checkout documentation:
To receive notifications and other callbacks from Google, you must do the following:
Specify an HTTPS callback URL secured by SSL v3 or TLS using a valid certificate from a major Certifying Authority.
Only accept messages that are authenticated by HTTP Basic Authentication, using your Merchant ID and Merchant Key as the username and password.
Additionally, we strongly recommend you validate (both syntactically and semantically) the messages that are sent to your callback URL before processing them.
We cannot support the Basic Authentication of the callback page, because you will not be able to create a Windows user using the Merchant ID and the Merchant Key as the password. The User Manager in the control panel has certain restrictions on the username and password format.
Therefore, the work around is as follows:
- Create a special folder for the callback page, and upload the callback page there.
- Create a support ticket to have our system administrators disable Basic Authentication on that folder only.
This workaround does remove a layer of security (basic authentication). However, your callback page should also programmatically check for the validity of the Merchant ID and Merchant Key that was passed in the HTTP header before processing the request.
If you run into problems when using these methods, please post in our
community forum.
Technical support is unable to assist with specific coding issues.
Article ID: 434, Created On: 1/2/2009, Modified: 4/13/2010