On Sun, 19 Aug 2001, Fotwun wrote:

> My questions are how do you securly, reliably, and seemlessly integrate
> sessions within that type of gateway. Because once the form data is posted
> to the credit card gateway, it redirects (posts response data) back to the
> script of your choice. However, in my experience, the sessions are not
> restored/recognized until the browser is refreshed on the client side
> (through the use of JavaScript) to get the server to recognize the request
> as coming from your user, rather than the as a post from the gateway. I
> don't want to have to deal with getting sloppy and adding additional
> refreshes/java script if thats the only way to do it. If I were to merely
> have the code generate a form based on hidden tags and have javascript
> auto-form submit, then I would open to security problems, because I could no
> longer restrict the script the gateway respondes to by an HTTP_REFFER.
>

Whoa there buddy.  HTTP_REFERER is supplied by the client's browser... and
therefore should be untrusted.

If you think it's secure because of what HTTP_REFERER says, you're
mistaken.


Justin Buist
Trident Technology, Inc.
4700 60th St. SW, Suite 102
Grand Rapids, MI  49512
Ph. 616.554.2700
Fx. 616.554.3331
Mo. 616.291.2612



> Because the clients order id that is generated will be stored as a session,
> I need a way to reference the order ID and confirmation code that is
> returned by the posted data from the gateway, against the session data to
> start inserting the data into the DB if it was a successful charge.
>
> Any ideas...? Maybe there's a quick solution out there I am just
> overlooking. The solution would be easy if I wasn't inserting all of my data
> at the end of the process based on the session data. But this is how the
> code is has to work, so what do you all think, how should I deal with this?
>
> Thanks,
>
> FT
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to