Authorize.Net DPM – Relay Response errors

My service ticket at WooThemes has now been open for 7+ days without a response. Anyone know how to contact them?

I think that I’ve narrowed the problem down to an issue with the “MD5 Hash” value that is being passed between Authorize.Net and the WooCommerce Authorize.Net DPM script.

Both the WooCommerce admin screen and the Authorize.Net user account settings page for “MD5 Hash” provide a field to fill in with an MD5 Hash value. Unfortunately, imputing a true 32 character value breaks the order process. But, if I use a shorter value in this field, the order process completes successfully.

So although they ask for an “MD5 Hash”, what is really required is a shorter hash key. (They can’t tell me how long I can make it and still have successful completion, and what types of characters are allowed.) A twelve character string works; I don’t know yet how far I can push it before it breaks.

The hash is an implementation by Authorize.net, not by WooCommerce Authorize DPM plugin. So this question is better asked to Authorize.net the company.

I have asked Athorize.Net about this, and if I find out more from them, I will post what I find.

I do believe that there is at least some fault on both ends – the WooCommerce Authorize.Net DPM, and the Authorize.Net website’s settings page for MD5 Hash.

Both GUIs have fields to fill in an “MD5 Hash”. This, I believe, is a mistake. When I’ve entered a true MD5 Hash (32 characters long) in both fields, the relay response fails. As a workaround, filling in a shorter string – let’s call it a hash key – rather than a true 32 character MD5 Hash, enables the transactions to complete properly.

I think that what is needed, and what both GUIs should ask for rather than an “MD5 Hash”, is a “hash key” which, I believe, the WooCommerce script uses as one of the pieces to create an MD5 Hash, and which Authorize.Net uses to decode the actual Hash which WooCommerce sends.

I think that it is a mistake for BOTH ends to ask for an “MD5 Hash” if that is not what is really needed in those fields. And if that is correct, then I think it is a further shortcoming of the WooCommerce Authorize.Net DPM extension to fail to provide adequate instructions on how to form the “hash key”. In fact, I think that it should generate this string for us.

I still have not been able to find out just how long I can make the string before it causes an error, or what types of characters are allowed in the string.

So that field exists because Authorize.net allows it. And it is optional. You don’t have to set it if you don’t want. Of course setting it makes it that much more secure. But again as far as the limitation on what can be entered there, it is not up to us.

Thanks again for your reply. I’m afraid that I have to respectfully disagree with you.

a) Your plugin extension GUI has a field labeled “MD5 Hash”. b) An MD5 Hash is 32 characters long. c) Entering a 32-character string into that field breaks the Relay Response between Authorize.Net and my website’s WooCommerce script; a shorter string does not break things. (How much shorter, we can only guess.) d) Therefore, your GUI field should NOT be labeled “MD5 Hash”.

You are asking people to pay for this extension, so you should be responsible for learning what type of string is required, and providing clear instructions about forming that string.

Should Authorize.Net ALSO change the label on the field at their end, and also provide instructions? Of course. But that doesn’t absolve you of your responsibility to your customer.

I understand. Please note that is how they call it on the dashboard. So to prevent confusion, we named it the same way so store owners know what that field is as it matches what they see in their Authorize.net panel.

But to answer your question, I have successes with 4 character phrase. The 4 characters will then be MD5 hashed so it is not likely someone will be able to reverse engineer. MD5 is a one way hashing algorithm.

Thanks. Yes, it is also wrong that Authorize.Net labels their field “MD5 Hash”, and I’m trying to get them to change it as well.

I think that if your field were labeled “Hash Key” instead, it would cause less problems. But even better would be to instruct on exactly how many characters to use.

I’ve so far been able to enter a 12-character string successfully. If I can find out from Authorize.Net how long it can be, and especially what types of characters are allowed, I’ll let you know.

But since WooCommerce steers a lot of business to Authorize.Net, and since so many websites use your software and theirs, can’t you contact them to find out exactly? Thousands of people must purchase your Authorize.Net payment gateways at $80 (US) each per year. You can afford to find out the exact specs.

Ok here you go. Found the answer for you https://support.authorize.net/authkb/index?page=content&id=A588

Note that the MD5 Hash Value can be up to 20 characters long, including upper- and lower-case letters, numbers, spaces, and punctuation. More complex values will be more secure.

I will see about putting this up on our docs. Thanks for bringing this up.

Thank you very much for that information!

Updating your documentation will be a big help.

Updating the extension itself would be even better. A field with a character limit of 20 cannot accept an MD5 Hash (by definition 32 characters long), so the label should be changed. Don’t ever ask for an MD5 Hash in a field which should have a 20 character limit. And instructions available in the GUI itself would be much better than buried in documentation.

Thanks again for hunting down that answer!

hommealone thank you so much for “hashing” this out! I never would have figured it out if it weren’t for you describing everything in detail here.