Worldpay have what is known as a 'data fetch' method whereby when you enter
the payment system you pass in a cart ID. The payment system then does the
equivalent of a CFHTTP to a URL on your site that you predefine in the
payment system administration pages passing the cart ID as a parameter. You
can then use this parameter to identify the appropriate cart, which you
would typically store in an application array of structs keyed on the cart
ID, and pass the info back to the payment system in whatever format it
requires. I dare say this is an approach adopted by other payment systems
too though I haven't really explored many others recently.
Steve
>
> > > Any data from the browser is subject to tampering. You can't
> > > rely on HTTP_REFERER - that's sent by the browser, and thus
> > > subject to the same sort of tampering as the form fields.
> >
> > Then can you suggest the best way of tackling this situation...
> >
> > - website, basket and pre-checkout on one server
> > - basket or orders table in database, each basket record tied to a
> > session.userid value
> > - secure payment area / checkout on another server
> > - no database access from secure server to database on main
> > website server
> >
> > How can you make the basket / orders data tied to a user,
> > together with the prices for the products, accessible to the
> > checkout section without including them as hidden form fields
> > which, obviously can be tampered with?
> >
> > I've seen one solution where a text file was written on the
> > unsecure server and the filename passed as a form field to the
> > secure area. The checkout just CFHTTPed the text file, parsed
> > out the order / product data and displayed the totals... not
> > an ideal way of doing it but seemed reasonably effective.
>
> As in your example, you'd have to use CFHTTP or some other communication
> mechanism between your CF server (as the client) and the payment server.
> That's really the only way.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> voice: (202) 797-5496
> fax: (202) 797-5444
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
