homepage Welcome to WebmasterWorld Guest from 54.167.144.4
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
payment gateway response uses GET parameters - secure enough?
jamie




msg:4431053
 10:44 pm on Mar 19, 2012 (gmt 0)

hi,

a payment gateway we are trying out returns full details of the operation in the response URL as _GET parametres. including the authorisation number from the bank and encrypted hash (to check data has not been tampered with).

on the page it is returned to i simply process these and then 301 to the confirmation page.

all of it is under SSL.

is there any reason why this shouldn't be secure? the reason i ask is that normally i am used to capturing _POST params with curl or similar.

surely as long as everything is under SSL and after processing the order I redirect to the confirmation page, then all's fine?

thanks for help

 

jamie




msg:4435519
 8:33 am on Mar 31, 2012 (gmt 0)

just to update this. we have set apache not to log that page. the user is instantly redirected to the confirmation page. it all happens under ssl and within an iframe so nothing visible is shown in the address bar.

theoretically a savvy user could watch the headers whilst making his purchase to see what kind of data is being sent back and forth. that would give him access to the authorisation number for his purchase. however without our secret encryption key, that auth number is useless to him.

coopster




msg:4437805
 1:19 am on Apr 6, 2012 (gmt 0)

It's those logs that kill ya ;) I'm with you, I would much rather see the data outside of the QUERY_STRING. Personal preference.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved