OK, I accept

This site uses cookies. By using this site, you acknowledge and accept this.

Your basket is empty
Login not logged in

Full Knowledgebase Listing

Worldpay callback issues - 302 redirect Not OK

[#48] Last update 28 Feb 2013

Worldpay is a popular payment system, and Kartris ships with a plugin to support it.

When a successful order is paid at Worldpay's payment pages, Worldpay makes a callback to Kartris at the following URL:


Kartris receives this callback, and if all goes well, it should receive order information within POST fields, update the pending order as 'PAID' and send confirmation emails.

However, some sites have persistently had callbacks failing. Worldpay will send a callback failure email to the address set up within the Worldpay panel, and indicate the problem as follows:

Error reported: Callback to http://demo.kartris.com/Callback.aspx?g=rbsworldpay&d=off: NOT OK, recevied HTTP status: 302

Curiously, some sites based on exactly the same version of Kartris seem to work ok, while others, even on the same server exhibit the 302-redirect problem.

The Solution

The problem stems from the way the validateRequest functionality is handled in ASP.NET 4.0. This functionality provides a built-in filter mechanism against XSS. You will encounter this if you try to submit a form containing HTML for example.

In prior versions of ASP.NET, for cases where you need to submit HTML data, you could turn the validateRequest functionality off in several ways. Either through the web.config (globally or for specific folders and pages), or within the page directive at the top of an ASPX file.

But in ASP.NET 4.0, this XSS filtering mechanism was extended to apply to all requests, and not just pages with ASP.NET file extensions. And it was no longer possible to turn off requestValidate unless you also specified the ASP.NET 2.0 behaviour. This could be done as follows in the web.config:

  <location path="Callback.aspx">
      <pages validateRequest="false" enableEventValidation="false" viewStateEncryptionMode="Always" />
      <httpRuntime requestValidationMode="2.0" />

This code turns off validateRequest for the Callback.aspx page, and also ensures that this works by specifying the older ASP.NET 2.0 behaviour. Callbacks made to Kartris should no longer be redirected if the XSS filtering in ASP.NET thinks there is HTML or other suspicious content in the data Worldpay is posting back.

Assuming your other Worldpay settings are correct, you should have successful Worldpay callbacks working now.

Useful Links

Worldpay Setup (Kartris User Guide)

ASP.NET 4.0 breaking changes

Powered by kartris