So would it be secure to input the variables into a database on each page,
passing the record id, and then querying the DB on a subsequent page to pull
the data?
If so, can I securely pass the record id via a form and somehow match it to
a specific CFID & CFTOKEN to then show that record id?
-----Original Message-----
From: Tangorre, Michael [mailto:[EMAIL PROTECTED]
Sent: Monday, March 15, 2004 12:26 PM
To: CF-Talk
Subject: RE: Session Variable
What kind of values do you want to pass in hidden form fields. They are
totally insecure, so I would avoid sensitive data.
Mike
> -----Original Message-----
> From: Robert Redpath [mailto:[EMAIL PROTECTED]
> Sent: Monday, March 15, 2004 12:13 PM
> To: CF-Talk
> Subject: RE: Session Variable
>
> I have also been getting errors as well when session
> variables for a membership form. (Good to know that IE don't
> like sessions) I originally put used session variables to
> prevent duplicate credit card charges. Is there any reason I
> can't just use hidden form to pass varibales from the credit
> card authorization page? or is it better to use the CFTOKEN and CFID?
>
> My basic structure is:
> --------------------------------
> Form page
> -Set up a session giving each session a random number ID
> -Form - user inputs -on submit _javascript_ form validating
> - goes to process page
>
> process page
> -some additional form validating
> -calculate totals $$
> -payment processing (Verisign PayflowPro) -sets all variables
> as session variables (total charges, etc...) -insert
> transaction record into DB
> - go to receipt page
>
> Receipt page
> -if successful transaction show receipt -if unsuccessful
> transaction show error message and ask user to check cc#,
> name, etc...on Form page -destroy session variables
>
> -----Original Message-----
> From: Dwayne Cole [mailto:[EMAIL PROTECTED]
> Sent: Sunday, March 14, 2004 12:01 PM
> To: CF-Talk
> Subject: RE: Session Variable
>
> >Dwayne,
> >
> >We don't rely on session variables for this sort of function
> as as you
> >have found with the new privacy stuff in IE, sessions cannot
> be relied upon.....
> >
>
> This is awful. Hundreds of thousands of websites can be affected
>
> >Instead, the way we do it is that we have a field in the
> orders table
> >that indicates completion of the payment or not. We insert
> the basket
> >contents into the order tables BEFORE we go to the payment
> gateway and
> >when we transfer to the gateway, we pass a custom form field that
> >carries the Order ID (most payment gateways do this).
>
> Instead of passing the orderID I would rather pass the CFID
> and the CFTOKEN.
> It serves the same purpose, a way to reference the the order
> once the user is returned. What ever the case LinkPoint
> Basic, at least as far I have tried, allows for you to pass
> customed fields but the values of the fields are empty when
> the shopper returns.
> _____
> ________________________________
>
>
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
