Sending sensitive information to an HTTPS page
Aggelos
I am trying to emulate sort of a Payment Gateway.
A user makes an order and then when he checks out he gets transfered
to the HTTPS page to enter his details.
At the moment I am storing the order in a temporary cart DB Table and
as a reference I use the Customer's ID
so I have
TABLE
Order_Temp
customerId | orderDateTime | ItemID
Once the order gets stored I redirect them using
header('Location:https://'.$url);
Now I have to pass some how in the HTTPS page the reference for the
order so my $url looks like:
https://www.paymentgateway.com/checkout.php?customerId=123
The problem with that is that I expose the Customer Id wich can easily
be changed to anything else.
What alternatives do i have ?
I though using post might be a sollution, BUT is it safe ? Can you
fake an id of a user when you post a form by injecting code? And how
easy is that ?
I was thinking of storing in the Temp_Order table the session_id and
then passing it thru the URL ? Is that safe ?
I just want to know if there is a standard practice of doing something
like that.
Thank you, and I really appreciate anyones times that is spend reading
my post :)
Regards.
Toby A Inkster
> The problem with that is that I expose the Customer Id wich can easily
> be changed to anything else.
Sign the ID number, and then check the signature at the other end. I posted
example code to do this a couple of months ago:
http://message-id.net/<2r0v64-...@ophelia.g5n.co.uk>
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
* = I'm getting there!
Aggelos
get to your post... is it in the comp.lang.php ?
On Mar 21, 3:44 pm, Toby A Inkster <usenet200...@tobyinkster.co.uk>
wrote:
> Aggelos wrote:
> > The problem with that is that I expose the Customer Id wich can easily
> > be changed to anything else.
>
> Sign the ID number, and then check the signature at the other end. I posted
> example code to do this a couple of months ago:
>
> http://message-id.net/<2r0v64-o98....@ophelia.g5n.co.uk>
>
> --
> Toby A Inkster BSc (Hons) ARCS
> Contact Me ~http://tobyinkster.co.uk/contact
Jerry Stuckle
> On Mar 21, 3:44 pm, Toby A Inkster <usenet200...@tobyinkster.co.uk>
> wrote:
>> Aggelos wrote:
>>> The problem with that is that I expose the Customer Id wich can easily
>>> be changed to anything else.
>> Sign the ID number, and then check the signature at the other end. I posted
>> example code to do this a couple of months ago:
>>
>> http://message-id.net/<2r0v64-o98....@ophelia.g5n.co.uk>
>>
>> --
>> Toby A Inkster BSc (Hons) ARCS
>> Contact Me ~http://tobyinkster.co.uk/contact
>> Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
>>
>> * = I'm getting there!
>
>
> Thank you... I cannot get to the link but I hope I'll find a way to
> get to your post... is it in the comp.lang.php ?
>
(Top posting fixed)
Toby's suggestion is a good one. He just got the '<' and '>' in the
wrong place. Try:
<http://message-id.net/2r0v64-...@ophelia.g5n.co.uk>
And please don't top post.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstu...@attglobal.net
==================
Toby A Inkster
> Toby's suggestion is a good one. He just got the '<' and '>' in the
> wrong place. Try:
>
> <http://message-id.net/2r0v64-...@ophelia.g5n.co.uk>
http://message-id.net/<2r0v64-...@ophelia.g5n.co.uk>
works fine. (I ought to know, as I own message-id.net.)
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Jerry Stuckle
> Jerry Stuckle wrote:
>
>> Toby's suggestion is a good one. He just got the '<' and '>' in the
>> wrong place. Try:
>>
>> <http://message-id.net/2r0v64-...@ophelia.g5n.co.uk>
>
> http://message-id.net/<2r0v64-...@ophelia.g5n.co.uk>
> works fine. (I ought to know, as I own message-id.net.)
>
Not for me it doesn't, Toby. Thunderbird tells Firefox to load it with
the extra chars.
Works fine as I had it.
Aggelos
> Toby A Inkster wrote:
> > Jerry Stuckle wrote:
>
> >> Toby's suggestion is a good one. He just got the '<' and '>' in the
> >> wrong place. Try:
>
>
> >http://message-id.net/<2r0v64-o98....@ophelia.g5n.co.uk>
> > works fine. (I ought to know, as I own message-id.net.)
>
> Not for me it doesn't, Toby. Thunderbird tells Firefox to load it with
> the extra chars.
>
> Works fine as I had it.
Thanks both of you though.
I think that I am not going to use that sollution though as you can
still decode it if you know the algorythm... what I do is create a
random seed which I store it in a DB with the id I want and then just
comparing that seed again with the database to get the id whenever I
need it.
So before I send the user to the Secure site I create the random
string, then redirect to the url setting the
https://www.paymentgateway.com/checkout.php?customerId=$randomString
and in the checkout.php script I select the record from the DB with
that random string returning the original customerId. This way it is
never visible to the possible "malicious" User.
Thanks.
Jerry Stuckle
Actually, it should be pretty safe if you make the seed long enough.
The only problem would be if someone could get access to your source
files and see the seed. But if they could do that, they could also see
any seed you use, along with the algorithm.
A sysadmin could do it, for instance. So could most hosting companies
(unless you have a colo). and if you can't trust your hosting company
you're in real trouble.
Toby A Inkster
> Not for me it doesn't, Toby. Thunderbird tells Firefox to load it with
> the extra chars.
The "extra chars" (by which, I'm assuming you mean the angled brackets) are
*part* of the message ID. Note the Message-ID header of this message: it
starts with a '<' and ends with a '>'.
If you copy and paste the following URL into a browser (all of it,
including the angled brackets), you should see it works:
http://message-id.net/<2r0v64-...@ophelia.g5n.co.uk>
The following will also work
http://message-id.net/2r0v64-...@ophelia.g5n.co.uk
but only because the PHP code at message-id.net is smart enough to
transparently add on the angled brackets. However, in the case of
Message-IDs that don't contain an at-sign (and some older newsreaders
would produce articles that didn't), the second URL wouldn't work, as
Message-ID.net uses the presence of either an at-sign or angled brackets to
detect if the URL contains a Message-ID.
Compare:
http://message-id.net/<anews.Aucbarpa.111>
http://message-id.net/anews.Aucbarpa.111
Jerry Stuckle
> Jerry Stuckle wrote:
>
>> Not for me it doesn't, Toby. Thunderbird tells Firefox to load it with
>> the extra chars.
>
> The "extra chars" (by which, I'm assuming you mean the angled brackets) are
> *part* of the message ID. Note the Message-ID header of this message: it
> starts with a '<' and ends with a '>'.
>
> If you copy and paste the following URL into a browser (all of it,
> including the angled brackets), you should see it works:
>
> http://message-id.net/<2r0v64-...@ophelia.g5n.co.uk>
>
> The following will also work
>
> http://message-id.net/2r0v64-...@ophelia.g5n.co.uk
>
> but only because the PHP code at message-id.net is smart enough to
> transparently add on the angled brackets. However, in the case of
> Message-IDs that don't contain an at-sign (and some older newsreaders
> would produce articles that didn't), the second URL wouldn't work, as
> Message-ID.net uses the presence of either an at-sign or angled brackets to
> detect if the URL contains a Message-ID.
>
> Compare:
> http://message-id.net/<anews.Aucbarpa.111>
> http://message-id.net/anews.Aucbarpa.111
>
Ah, but '<...>' has a meaning in usenet and email clients to be a
non-wrapping line - so you can put very long URLs and not have the wrap.
And Thunderbird takes the as a break. Effectively you have two pieces
here:
and
clicking before the '<' just takes one to message-id.net with no
parameters. Clicking between the '<' and '>' tries to send a message to
2r0v64-...@ophelia.g5n.co.uk.
So while it works when pasted into a browser, it doesn't from at least
one popular newsreader client. IMHO, it's not a good idea to use '<'
and '>' in message id's because they have special meanings.
Toby A Inkster
> IMHO, it's not a good idea to use '<' and '>' in message id's because
> they have special meanings.
Yet, they have been mandated as part of Usenet Message-IDs since RFC 1036
came out twenty years ago.
http://www.ietf.org/rfc/rfc1036.txt
| 2.1.5. Message-ID
|
[...]
| Message-ID's have the syntax:
| <string not containing blank or ">">
[...]
| The angle brackets are considered part of the Message-ID. Thus, in
| references to the Message-ID, such as the ihave/sendme and cancel
| control messages, the angle brackets are included.
[...]
Jerry Stuckle
> Jerry Stuckle wrote:
>
>> IMHO, it's not a good idea to use '<' and '>' in message id's because
>> they have special meanings.
>
> Yet, they have been mandated as part of Usenet Message-IDs since RFC 1036
> came out twenty years ago.
>
> http://www.ietf.org/rfc/rfc1036.txt
>
> | 2.1.5. Message-ID
> |
> [...]
> | Message-ID's have the syntax:
> | <string not containing blank or ">">
> [...]
> | The angle brackets are considered part of the Message-ID. Thus, in
> | references to the Message-ID, such as the ihave/sendme and cancel
> | control messages, the angle brackets are included.
> [...]
>
Toby,
That's true when viewing the message via usenet. However, you're link
views it through the http protocol - and that's a different story.
'<' and '>' are not valid characters in a link and must be escaped to
their hex equivalents (%3c and %3e, respectively).
http://message-id.net/%3c2r0v64...@ophelia.g5n.co.uk%3e
would be the correct link.
Jerry Stuckle
> Jerry Stuckle wrote:
>
>> IMHO, it's not a good idea to use '<' and '>' in message id's because
>> they have special meanings.
>
> Yet, they have been mandated as part of Usenet Message-IDs since RFC 1036
> came out twenty years ago.
>
> http://www.ietf.org/rfc/rfc1036.txt
>
> | 2.1.5. Message-ID
> |
> [...]
> | Message-ID's have the syntax:
> | <string not containing blank or ">">
> [...]
> | The angle brackets are considered part of the Message-ID. Thus, in
> | references to the Message-ID, such as the ihave/sendme and cancel
> | control messages, the angle brackets are included.
> [...]
>
BTW - the applicable rfc is 2396: http://rfc.net/rfc2396.html.