On Sun, 19 Aug 2001, Fotwun wrote:
> My questions are how do you securly, reliably, and seemlessly integrate
> sessions within that type of gateway. Because once the form data is posted
> to the credit card gateway, it redirects (posts response data) back to the
> script of your choice. However, in my experience, the sessions are not
> restored/recognized until the browser is refreshed on the client side
> as coming from your user, rather than the as a post from the gateway. I
> don't want to have to deal with getting sloppy and adding additional
> refreshes/java script if thats the only way to do it. If I were to merely
> auto-form submit, then I would open to security problems, because I could no
> longer restrict the script the gateway respondes to by an HTTP_REFFER.
Whoa there buddy. HTTP_REFERER is supplied by the client's browser... and
therefore should be untrusted.
If you think it's secure because of what HTTP_REFERER says, you're
Trident Technology, Inc.
4700 60th St. SW, Suite 102
Grand Rapids, MI 49512
> Because the clients order id that is generated will be stored as a session,
> I need a way to reference the order ID and confirmation code that is
> returned by the posted data from the gateway, against the session data to
> start inserting the data into the DB if it was a successful charge.
> Any ideas...? Maybe there's a quick solution out there I am just
> overlooking. The solution would be easy if I wasn't inserting all of my data
> at the end of the process based on the session data. But this is how the
> code is has to work, so what do you all think, how should I deal with this?
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]