Reading PayPal developer documentation (and this is a lot of documentation) I'm not sure if IPN is mandatory or I can simply ignore it.
Of course, I must implement some other mecanism in order to know if the payment was correct. I thought doing something like this:
Create a new payment (via web service) with a different code in both returnUrl and cancelUrl. This codes are generated randomly for every payment and stored in DB.
When the user finishes the payment (OK or KO), PayPal will redirect its page to my site and I will be able to know if the code is correct.
If there is a problem (user closes window, response doesn't arrive, codes don't match...) will be handled manually looking the transactions on PayPal site.
Do you think is this ok?
Thanks.
No, I think that sounds awful.
The user could skip the payment step and simply edit together your required URL, then paste it into the browser address bar. That would give them free product.
You can use the PayPal SOAP APIs to verify the transaction once you receive the URL. You merely can't trust that URL blindly the second you receive it.
You'll need to be careful not to allow users to send you the URL of some other person's payment, and receive the product twice for that payment. (Once to real payee, once to fraudster...)
It's important that you verify that you were paid the correct amount. (Assuming you care that you were paid the correct amount.)
In general, when you interface with PayPal, whatever method you use, it is important that you understand software security and threat modelling. Otherwise, there is really only a small chance you will be secure from fraud.