----- Original Message ----- From: "Luciano Miguel Ferreira Rocha" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 03, 2001 3:12 AM Subject: Re: Site Logic Problem
> On Tue, Oct 02, 2001 at 08:23:18PM -0700, Robert Mazur wrote: > > Now, is that going to cause a ssl certificate problem, when the user > > establishes a ssl connection with me (mydomain.com), but the page actually > > submits to the bank, rather than back to me? > > No, it won't cause a certificate problem if both certificates are valid > for their respective domains. A certificate is checked for the server the > browser is connecting, it doesn't matter where it has been. (Although > some browsers show a warning if a switch from a ssl server to a non-ssl > server occurs.) > > > Wow, am I going to have a problem here? > Well, you mught. How do you know that the client really paid to the bank? > You can't trust Referers, etc. It can be done securelly, I'm just trying > to make you revise it against any possible failures. :) > > hugs > Luciano Thanks for the response, Luciano. Ya, my head is starting to swim with the possibilities. Ya, you hit the nail on the head with the browser yelling when going from a non-ssl, to a ssl, then back to a non-ssl. That was what was happening to me with this transaction, so I am adding ssl to my end so that it is all an ssl connection when the user goes from me, to the bank, and back to me. I will know that the user really paid the bank because the bank's server returns a particular code to my server, describing how the transaction went. It is all triggered by one click....meaning, my card entry page submits directly to the bank, the bank checks the card (and credit) of the user...and in the same motion returns to me a transaction code to either my approved.jsp, or my denied.jsp. This approach has worked in the past, it is just the route of non-ssl, to ssl, to non-ssl sequence I am trying to eliminate so the user's browser stays quiet. Thanks Luciano! Rob ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
