#wellthen 🇪🇺

Hi, taking a look here

Here's a reference: https://gist.github.com/cjavilla-stripe/872a3509c902ec32a8cef82b39d8e0b8

So Stripe Checkout Sessions expires 24 hours after creation, https://stripe.com/docs/payments/accept-a-payment. But if the user comes back prior, I'd validate that they have a session and proceed instead of creating a new session every time.

I think it's perhaps better to save it and then check it every time, given that a user can refresh the page multiple times to generate practically unlimited sessions. Does Stripe have an API limitation?

I assume they can also request the Stripe checkout using the same session id multiple times, that should rate limit them, not my website, correct?

Yes, there is a rate limiting: https://stripe.com/docs/rate-limits. Unless you are making many unnecessary calls, our API rate limiting is pretty high.

I do not understand the second question, can you elaborate please?

If a user visits the website and presses the payment button, I'd have to check with the Stripe API to see if the session is valid or not, and whether to generate a new session.

Theoretically, the user could click the button many times, with automated tools.

I assume that would lead to a lot of API calls

would something like recaptcha be advisable?

You'd want to cache or something like that on your end. When the user comes back, you just use the existing session.

yeah, but if the session becomes invalid in the meantime, how would I know it's invalid instead of checking with the API?

should i just cache one session id per 24 hours and hope it doesn't somehow get invalidated?

can the webhooks be used to monitor whether the session becomes invalid?

You can look at the status of the Checkout Session, https://stripe.com/docs/api/checkout/sessions/object#checkout_session_object-status.

does that get returned via webhook each time it gets completed/failed?

Yes, the status is included with each Checkout Session.

oh cool, so I can save one session ID and then keep it as active until I get webhook information that it's not valid anymore?

i assume it also returns that after 24 hours

Yes, that is correct

got it, thanks!

with regards to the webhooks, if the website is down, does the API retry sending requests after a while, and are there any known issues with CDNs like Cloudflare blocking requests?

i assume I should whitelist these IP addresses?

We do have some retry logic which you can read more here: https://stripe.com/docs/webhooks/best-practices#retry-logic. And yes, you'd want to allowlist those IP addresses as well.

ah great

do you believe it's enough to rely on webhooks to check if transactions are completed?

Yes, we also talk about error handling here: https://stripe.com/docs/webhooks/best-practices#event-handling

does the interactive webhook builder verify whether requests come from stripe? https://stripe.com/docs/webhooks/quickstart?lang=php

i'm assuming if I use that I don't have to check whether the IP comes from Stripe?

Yeah, you can verify the webhook signature that verifies that the event is coming from Stripe, https://stripe.com/docs/webhooks/signatures

Thanks, seems understandable, will come back if I need additional info.