Signature Verification

It is strongly recommended to use a signature mechanism to verify the contents of a request or redirection made to your servers. This prevents customers from tampering with the data in the data exchanges between your servers and our payment system.

A unique signature is sent each time HiPay contacts any merchant’s URL, notification or redirection.

Setup

First of all, you need to set a secret passphrase in your HiPay Enterprise back office under “Integration -> Security Settings -> Secret Passphrase”.

Secret passphrase: The secret passphrase is used to generate a unique character string (signature) hashed with SHA algorithm. The security level of the password depends on its length. A long password is more secure.

Verification

Notification URL: For the notification URL, the signature is sent on the HTTP header under the HTTP_X_ALLOPASS_SIGNATURE parameter. To check this point, you just need to concatenate the passphrase with the POST content of the query. 

Algorithm: SHA signature = SHA1(Raw POST Data + Secret Passphrase)

Redirection URL: For each redirection page (accept page, decline page, etc.), the signature is sent under the “hash” parameter. To check this point, you must concatenate the parameters, the values of each of them and the passphrase under the following conditions: 

      1. The parameter must be predefined, 
      2. The value can’t be empty, 
      3. The parameter must be sorted in alphabetical order.

Please note: you must remove any personal parameter from the query to only include the HiPay parameters.

Algorithm:

    • a. paramC = val3
    • paramA = val1
    • paramB = val2
    • SHA signature = SHA1(paramAval1<passphrase>paramBval2<passphrase>paramCval3<passphrase>)
      $secretPassphrase = 'mypassphrase';
       //Secret Passphrase
       $string2compute = '';
 
       if (isset($_GET['hash'])) {
           // If it is a redirection
           $signature = $_GET['hash'];
           $parameters = $_GET;
           unset($parameters['hash']);
           ksort($parameters);
           foreach ($parameters as $name => $value) {
               if (strlen($value)>0) {
                       $string2compute .= $name . $value . $secretPassphrase;
               }
           }
       }
       else {
           // If it is a notification
           $signature = $_SERVER['HTTP_X_ALLOPASS_SIGNATURE'];
           $string2compute = file_get_contents("php://input"). $secretPassphrase;
       }
       $computedSignature = sha1($string2compute);
 
       // true if OK, false if not
       if ($computedSignature == $signature) {
           $message = 'OK';
       }
       else {
           $message = 'KO';       
       }