Home/ Questions/Q 8825249
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T06:49:55+00:00

Consider the scenario: on an e-commerce website, for some reason, some users failed to

  • 0

Consider the scenario: on an e-commerce website, for some reason, some users failed to complete their order after filling in all the information necessary (“only” the payment is missing).

In order not to lose their custom, the website wants to send to each of these users a reminder e-mail within 24 hours, with a summary of their order and a PayPal link that will allow them to complete the transaction.

  • how could this link be constructed?
  • what gotchas could there be?
  • how would this link be processed?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A plain e-mail is not the securest place, so I’d advise against just placing in it:
    – a PayPal link
    – full orders details

    But what you can do is to store all information about the session and retrieve it through a “simple link” to your secure application, which could then generate a new Paypal transaction page:

    <a href="https://yourapp.com/retrieve-transaction?id=ENCRYPTED_ID">...</a>

    You’d need to require user login after clicking on the link. Even if the transaction itself would not be at risk (independent payment is required), the link itself would expose the transaction content; think medicine or other sensitive or confidential purchase. For the same reason you don’t want to put these details in the mail, you don’t want them to be accessible just by clicking.

    Then, you’d create a valid session from the login, and that would give access to account information, order history and so on. By adding the information from the ENCRYPTED_ID, you could inject into the session all the information from the “frozen” purchase session.

    Now you have everything needed to re-create a quick-order page, with a PayPal link.

    Last, you should provide for link invalidation after a preset time and after transaction completion as well, in case the user (or someone else) clicks again on the same link.

    Possible workflow

    • You prepare the “frozen session” before the first Paypal link proposal

    • If the payment gets through, you delete the frozen session

    • Every hour (say), you check if there are outstanding frozen sessions older than 48 hours. These are expired and you delete them.

    • If there are other sessions older than 24 hours, but newer than 48, that have no “Sent mail!” flag, you send the e-mail with a link to that session, and set the flag.

    • On receiving a click on that link, you request a login (and remind that if the link is older than 24 hours, it’s not going to work).

    • On successful login, check whether the session exists.
    • If not, “sorry that’s expired – would you like to resume shopping?”
    • If it exists, re-generate the order page and go back to the beginning of the list. True, this way if you click on the link, do not pay, and go away, another email will be sent to you — but you need to do that on purpose. If the possibility of abuse (e.g. annoy someone whose password is known to me) bothers you, add a counter to the frozen session (“This is the third time you reopened this order. To avoid potential abuse, we’re not going to send you any more reminders”). Unless you sell treatment for thoughtlessness or transient amnesia, of course.
    • 0