On Sun, 19 Aug 2001, Fotwun wrote: > My questions are how do you securly, reliably, and seemlessly integrate > sessions within that type of gateway. Because once the form data is posted > to the credit card gateway, it redirects (posts response data) back to the > script of your choice. However, in my experience, the sessions are not > restored/recognized until the browser is refreshed on the client side > (through the use of JavaScript) to get the server to recognize the request > as coming from your user, rather than the as a post from the gateway. I > don't want to have to deal with getting sloppy and adding additional > refreshes/java script if thats the only way to do it. If I were to merely > have the code generate a form based on hidden tags and have javascript > auto-form submit, then I would open to security problems, because I could no > longer restrict the script the gateway respondes to by an HTTP_REFFER. > Whoa there buddy. HTTP_REFERER is supplied by the client's browser... and therefore should be untrusted. If you think it's secure because of what HTTP_REFERER says, you're mistaken. Justin Buist Trident Technology, Inc. 4700 60th St. SW, Suite 102 Grand Rapids, MI 49512 Ph. 616.554.2700 Fx. 616.554.3331 Mo. 616.291.2612 > Because the clients order id that is generated will be stored as a session, > I need a way to reference the order ID and confirmation code that is > returned by the posted data from the gateway, against the session data to > start inserting the data into the DB if it was a successful charge. > > Any ideas...? Maybe there's a quick solution out there I am just > overlooking. The solution would be easy if I wasn't inserting all of my data > at the end of the process based on the session data. But this is how the > code is has to work, so what do you all think, how should I deal with this? > > Thanks, > > FT > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
