homepage Welcome to WebmasterWorld Guest from 54.204.73.126
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
payment gateway response uses GET parameters - secure enough?
jamie

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4431051 posted 10:44 pm on Mar 19, 2012 (gmt 0)

hi,

a payment gateway we are trying out returns full details of the operation in the response URL as _GET parametres. including the authorisation number from the bank and encrypted hash (to check data has not been tampered with).

on the page it is returned to i simply process these and then 301 to the confirmation page.

all of it is under SSL.

is there any reason why this shouldn't be secure? the reason i ask is that normally i am used to capturing _POST params with curl or similar.

surely as long as everything is under SSL and after processing the order I redirect to the confirmation page, then all's fine?

thanks for help

 

jamie

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4431051 posted 8:33 am on Mar 31, 2012 (gmt 0)

just to update this. we have set apache not to log that page. the user is instantly redirected to the confirmation page. it all happens under ssl and within an iframe so nothing visible is shown in the address bar.

theoretically a savvy user could watch the headers whilst making his purchase to see what kind of data is being sent back and forth. that would give him access to the authorisation number for his purchase. however without our secret encryption key, that auth number is useless to him.

coopster

WebmasterWorld Administrator coopster us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4431051 posted 1:19 am on Apr 6, 2012 (gmt 0)

It's those logs that kill ya ;) I'm with you, I would much rather see the data outside of the QUERY_STRING. Personal preference.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved