> > Then can you suggest the best way of tackling this situation...
> >
> > - website, basket and pre-checkout on one server
> > - basket or orders table in database, each basket record tied
> > to a session.userid value
> > - secure payment area / checkout on another server
> > - no database access from secure server to database on
> > main website server
> >
> > How can you make the basket / orders data tied to a user, together
> > with the prices for the products, accessible to the checkout section
> > without including them as hidden form fields which, obviously can be
> > tampered with?
>
> You could put all the data that needs to be passed over in to a WDDX
> packet, then encrypt it, base64 it, and send it over in a hidden field.
You could do this, but, again, if the data comes from the browser, someone
can tamper with it. You're raising the bar of difficulty by doing this, but
you'd be safer not passing the sensitive data back from the browser in the
first place (and in this example, there's no reason you have to).
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
