Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I run a site that takes payments for a subscription, but then just stores a cookie on the users machine proving they've paid.

It will give them the cookie again if they re-visit from any IP they've previously used.

It also re-gives them the cookie if they try to pay again with the same credit card.

Support just tells people to try to resubscribe if their subscription has 'vanished' - but it seems to happen to very few customers.



This is pretty clever, but people might get double billed if they accidentally try to confirm their account with a different card than they used to sign up.


Public IP as an auth token seems like a horrible idea.

You're giving anyone on CGNat or even the same coffee shop access to your customers account.


In my case, customers don't have any data on the account - it's simply a bit saying 'has paid for premium?'. And if I end up giving premium to a few people who didn't pay it isn't an issue. The sign-up friction of needing an email address is greater.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: