|Does this sound totally unsafe to you or am I just crazy?|
| 8:10 pm on Mar 2, 2009 (gmt 0)|
| 9:58 pm on Mar 2, 2009 (gmt 0)|
The whole setup does sound pretty weird. Is there any reason they can't or won't just link to the form on your server using https? As in, "<a href="https://www.example.com/ourform.html">Contact Us</a>"?
I'm assuming you have a good reason for insisting that the forms live on your server, and that you have SSL/secure cert set up properly, and that you have in place a post-processing script to do whatever it is you're going to do with the forms.
| 10:38 pm on Mar 2, 2009 (gmt 0)|
I asked them to use a straight link to the form, which, they finally did. I have concerns about the vendor that was chosen to produce the site. Our forms are on a secured server, with an SSL certificate on the appropriate site and solid form validation. That the vendor would allow for such a thing without warning the client is unfathomable to me. Did he not think that form security, or at least, recognition by the end user of said security, would be an issue? They wanted the nifty pop-up because, well, it looks nifty. I prefer safety over nifty any day, as do, I believe, our end users.
| 11:24 pm on Mar 2, 2009 (gmt 0)|
Glad you got them to go with the straight link.
It would definitely raise some red flags for me, if someone I hired wanted to present a secure form that way. Is it possible you can get an explanation of their reasoning for having done it that way in the first place? Did they just not know any better?
| 11:54 pm on Mar 2, 2009 (gmt 0)|
What is processing the form? Scripts on your servers I hope?
My only thinking is that they don't know how to do server side scripting and had planned to "pass it off" to a form processing service somewhere out there on the web. A pop up window would "hide" this, for the most part. I know, a real reach, but can't imagine why else they would do this.
| 11:59 pm on Mar 2, 2009 (gmt 0)|
I haven't spoken with the developer to find out his logic. He isn't real big on security, as you can tell. The form and form handling is on our server. Normally, his CMS allows his clients to develop forms through it, but I said no way. Any handling of secure information was going to come through our own servers. Thank GOD I insisted! Thank you so much for your responses. I wondered if I was just being uber paranoid.