An HTTP 403 Forbidden error indicates that due the set up of your script and/or server, the viewer does not have permission to view this page. For the pass back to function, 2CO must be able to access the script and post the variables to it.

HTTP errors are not generated specifically by 2Checkout. They are a part of the HTTP protocol and are common amongst all web servers. It is therefore beyond the realm of 2Checkouts support to provide you with specific instructions for making these changes as every server is set up differently and 2CO does not provide server administration services as part of our support plan.

To test and see if your file is working correctly:

1. Open your web browser.
2. Type in the full URL to your script or return page (including the http://www. part) and press enter.
3. If you receive the message again, the problem is in your script and/or on your server. Note that the exact wording of the error message may vary slightly depending on your browser and your server. But if you see something about ‘forbidden’ or ‘error 403′ then the information above pertains to your situation.

An HTTP Error 500 (Internal Server Error) indicates that there is a problem inside of your script or the servers configuration. This error is most likely caused by a typo in the code or an invalid or illegal use of a function within the script. For the pass back to function correctly, then your script must be correctly set up.

HTTP errors are not generated specifically by 2Checkout. They are a part of the HTTP protocol and are common amongst all web servers. It is therefore beyond the realm of 2Checkout’s support to provide you with specific instructions for making these changes as every server is set up differently and 2CO does not provide server administration services as part of our support plan.

For assistance with debugging your scripts, we suggest that you contact your server’s administrator, webmaster, or hosting provider’s technical support staff. Due to the nature of this particular error, you may also be able to receive assistance from other suppliers of ours. The 500 error message is often due to a coding error in the script, so some of our other suppliers in our tech support forum may be able to help you find the mistake.

We have observed that this error is experienced in certain web browsers more than in others, in particular within Internet Explorer. If your return page or script does not output at least 530 characters, this can potentially cause a MIME header error. Mozilla based browsers such as Firefox seem to be able to handle these pages and will display either the real error or the small output when Internet Explorer has problems. Since this issue is an issue with the browser software itself, there is little 2Checkout can do to control this. If you are receiving this error, please try to increase the output that your return page generates to more than 530 characters or try a different web browser to see if you observe different results. Note that this is not a solution for all HTTP 500 error messages, but it is meant to be a useful step in debugging your script and has been reported as a successful step by some of our other suppliers.

The ability to include ‘demo=Y’ to return to the vendor defined approved URL without placing a valid order is not a security flaw or error, it is the intended usage of this parameter. It is included in the parameter set in order to allow for vendor testing, from the start of the order process (passing the parameters to 2checkout’s purchase routine), to the end of the order process (returning to the Approved URL defined by the vendor).

It is true that if a vendor defines an approved URL that allows access to the downloadable product/service they are selling, and the vendor takes no further security precautions, someone could download the product/service by including the ‘demo=Y’ parameter.

The ability to control the demo parameter is available from inside the 2Checkout system. You can choose from the following 3 options inside of your 2Checkout account to control the use of the Demo parameter. Those choices are:

• On: Using this setting all sales will be treated as demo, regardless of any parameter value.
• Off: Using this setting all sales will be treated as live, regardless of any parameter value.
• Parameter: Using this setting a demo parameter sent to the purchase routine will control the demo setting.

In the new Vendor Admin, this option is under “Account > Site Management”:

In the Classic Sellers Area (V2), this option is under “Look and Feel”:

It is not recommended to provide a downloadable product/service to a customer immediately after a sale completes by means of a return to the Approved URL. It is recommended to allow the fraud review process to complete before providing your customer with the product/service.

We realize that some vendors may not wish to wait for the fraud review process to complete before providing their customer with a downloadable product/service. For such vendors, the MD5 hash is provided to help verify the authenticity of a sale. We intentionally break the hash code that is passed back if the ‘demo=Y’ parameter is used. You can compare the value of the hash we pass back with the value of what the hash should be (this needs to be calculated on your end). This will allow you to determine whether or not to provide the customer with the downloadable product/service. It should be noted that when using this method to provide a downloadable product/service immediately, you do run the risk of having your product/service stolen by someone placing a fraudulent order with a stolen credit card.

For full details on using the MD5 hash please refer to the article How do I use the MD5 Hash?

If you choose to provide a downloadable product/service immediately after a sale using the Approved URL, and do not check the MD5 key which is passed to the Approved URL to verify the validity of the sale before providing a customer with a product, then you are accepting the risk that your product may be taken without being paid for by someone who includes the ‘demo=Y’ parameter.