Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

payment gateway response uses GET parameters - secure enough?



10:44 pm on Mar 19, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member


a payment gateway we are trying out returns full details of the operation in the response URL as _GET parametres. including the authorisation number from the bank and encrypted hash (to check data has not been tampered with).

on the page it is returned to i simply process these and then 301 to the confirmation page.

all of it is under SSL.

is there any reason why this shouldn't be secure? the reason i ask is that normally i am used to capturing _POST params with curl or similar.

surely as long as everything is under SSL and after processing the order I redirect to the confirmation page, then all's fine?

thanks for help


8:33 am on Mar 31, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

just to update this. we have set apache not to log that page. the user is instantly redirected to the confirmation page. it all happens under ssl and within an iframe so nothing visible is shown in the address bar.

theoretically a savvy user could watch the headers whilst making his purchase to see what kind of data is being sent back and forth. that would give him access to the authorisation number for his purchase. however without our secret encryption key, that auth number is useless to him.


1:19 am on Apr 6, 2012 (gmt 0)

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

It's those logs that kill ya ;) I'm with you, I would much rather see the data outside of the QUERY_STRING. Personal preference.

Featured Threads

Hot Threads This Week

Hot Threads This Month