RE: [PHP-DB] E-Commerce - Integrating Sessions With Charging ProcessesThat rePOST
I've heard of way too many people relying on HTTP_REFERER thinking it's a secure way to lock things down... so I'll take this chance here and illustrate what I'm talking about. You'll need: netcat (http://www.l0pht.com/~weld/netcat/) and a PHP webserver. Cut and paste the following HTTP request into a file: GET /referer.php Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801 Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, image/png, image/jpeg, image/gif;q=0.2, text/plain;q=0.8, text/css, */*;q=0.1 Accept-Language: en-us Accept-Encoding: gzip, deflate, compress;q=0.9 Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66 Keep-Alive: 300 Connection: keep-alive Referer: http://www.yoursecuresite.com/cc_info.html Modify the "GET" parameter on the first line if you wish to place your script somewhere besides http://webserver.com/test.php Place the following code in test.php: - The http referer is: - Now just run: cat | nc 80 ... and watch what the webserver spits back for the $HTTP_REFERER variable. Just change the 'Referer' line and you can make it say whatever you want. If you're on NT just substitute "type" for "cat" in the above command. Everything else should work just the same. If that doesn't scare somebody out of using HTTP_REFERER for security, I don't know what would. And yes, you are right about the POST/rePOST thing being hokey. I wouldn't work with a company that required you to submit data that way. Justin Buist Trident Technology, Inc. 4700 60th St. SW, Suite 102 Grand Rapids, MI 49512 Ph. 616.554.2700 Fx. 616.554.3331 Mo. 616.291.2612 On Mon, 20 Aug 2001, Fotwun wrote: > How, code wise do I retreive the session data from the session id. Also, > another response below said HTTP_REFERRER is not secure. So how do people > who use this type of payment gateway secure the script it redirects to. All > of the data it sends is form data, so once somebody new what script it > redirects to, and what form data it posts, it would be quite easy for them > to authorize their own charges in my opinion. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] E-Commerce - Integrating Sessions With Charging ProcessesThat rePOST
On Sun, 19 Aug 2001, Fotwun wrote: > My questions are how do you securly, reliably, and seemlessly integrate > sessions within that type of gateway. Because once the form data is posted > to the credit card gateway, it redirects (posts response data) back to the > script of your choice. However, in my experience, the sessions are not > restored/recognized until the browser is refreshed on the client side > (through the use of JavaScript) to get the server to recognize the request > as coming from your user, rather than the as a post from the gateway. I > don't want to have to deal with getting sloppy and adding additional > refreshes/java script if thats the only way to do it. If I were to merely > have the code generate a form based on hidden tags and have javascript > auto-form submit, then I would open to security problems, because I could no > longer restrict the script the gateway respondes to by an HTTP_REFFER. > Whoa there buddy. HTTP_REFERER is supplied by the client's browser... and therefore should be untrusted. If you think it's secure because of what HTTP_REFERER says, you're mistaken. Justin Buist Trident Technology, Inc. 4700 60th St. SW, Suite 102 Grand Rapids, MI 49512 Ph. 616.554.2700 Fx. 616.554.3331 Mo. 616.291.2612 > Because the clients order id that is generated will be stored as a session, > I need a way to reference the order ID and confirmation code that is > returned by the posted data from the gateway, against the session data to > start inserting the data into the DB if it was a successful charge. > > Any ideas...? Maybe there's a quick solution out there I am just > overlooking. The solution would be easy if I wasn't inserting all of my data > at the end of the process based on the session data. But this is how the > code is has to work, so what do you all think, how should I deal with this? > > Thanks, > > FT > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
