This option is enabled by checking "Validate Relay Response HTML" in the "Relay Response" tab of the Administration console.
If enabled, E-xact performs an extra validation of the relay response passed back by the merchant server. In order to pass this validation, the merchant server must calculate an HMAC-MD5 digest of the response content and include the digest as part of the response header.
To calculate this HMAC-MD5 digest, the merchant server should use:
- key - the Transaction Key from the payment page configuration
- message - the HTML content to be returned for the relay response
To include this digest in the relay response, the merchant server should:
- add an HTTP header field called 'Signature'
- set the field value to be a concatenation of the x_login value of the payment page and the digest, separated by a colon
For example, using the values in the table below:
| Field | Value |
|
x_login |
WSP-GOODS-70 |
| Transaction Key |
AL81Li7D4laXYDtpfgO_lInQ |
| relay response HTML content | <html><head></head><body>hello from merchant server</body></html> |
Following are snippets of the digest calculation in a few languages:
Ruby
require 'openssl'
OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('md5'), 'AL81Li7D4laXYDtpfgO_lInQ', '<html><head></head><body>hello from merchant server</body></html>')
Python
import hmac
import hashlib
h = hmac.new('AL81Li7D4laXYDtpfgO_lInQ','<html><head></head><body>hello from merchant server</body></html>',hashlib.md5)
h.hexdigest()
PHP
hash_hmac('md5','<html><head></head><body>hello from merchant server</body></html>', 'AL81Li7D4laXYDtpfgO_lInQ');
the resulting HMAC-MD5 digest would be
1ba55452cc7e799324c69af2b675346b
and the Signature header for the response would look like:
Signature: WSP-GOODS-70:1ba55452cc7e799324c69af2b675346b