One thing to think about with incremental order ids is that it is possible to leak information.
One paranoid example is that a competitor could place an order and from the incremental id see how many sales you have had. They could then place another one week later and compare order ids to see your sales volume. A less paranoid example involves end users looking up orders. If the order summary page (@@getpaid-order/997670534) doesn't check that the user viewing the page also has rights to view that order, then anyone can view any order just by entering sequential order ids. In general with ids that map to objects it's best to use a sparse namespace to make guessing attempts hard. -Rob On Fri, May 8, 2009 at 6:46 AM, Taito Horiuchi <[email protected]> wrote: > Hello, > > OK, then I give that incremental order id option to branch. > > Thanks, > > Taito > > > 2009/5/8 Lucie Lejard <[email protected]> > > >> Hi Taito, >> >> I don't know why random order id was implemented. But it seems like a >> good idea to give the option in the getpaid admin to choose >> incremental order id. >> >> Lucie >> -- >> S i x F e e t U p , I n c . | http://www.sixfeetup.com >> Phone: +1 (317) 861-5948 x605 >> ANNOUNCING the first Plone Immersive Training Experience | Sept. 10-11-12, >> 2009 >> http://www.sixfeetup.com/immerse >> >> >> >> On Wed, May 6, 2009 at 12:17 PM, Taito Horiuchi <[email protected]> wrote: >> > Hi all, >> > >> > I'm using incremental order id for existing e-commerce site and I would >> like >> > to continue using this policy >> > when I switch to getpaid. >> > >> > getpaid.core uses random order id for new order id. >> > >> > Is it a bad idea to add incremental order id as an option to core? >> > >> > Can somebody explain me why random order id is better than incremental >> one? >> > >> > Taito >> > >> > >> > > >> > >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "getpaid-dev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/getpaid-dev?hl=en -~----------~----~----~----~------~----~------~--~---
