> Any data from the browser is subject to tampering. You can't rely on
> HTTP_REFERER - that's sent by the browser, and thus subject
> to the same sort
> of tampering as the form fields.
Then can you suggest the best way of tackling this situation...
- website, basket and pre-checkout on one server
- basket or orders table in database, each basket record tied to a
session.userid value
- secure payment area / checkout on another server
- no database access from secure server to database on main website server
How can you make the basket / orders data tied to a user, together with the
prices for the products, accessible to the checkout section without
including them as hidden form fields which, obviously can be tampered with?
I've seen one solution where a text file was written on the unsecure server
and the filename passed as a form field to the secure area. The checkout
just CFHTTPed the text file, parsed out the order / product data and
displayed the totals... not an ideal way of doing it but seemed reasonably
effective.
Thanks in advance
--
Aidan Whitehall <[EMAIL PROTECTED]>
Netshopper UK Ltd
Advanced Web Solutions & Services
http://www.netshopperuk.com/
Telephone +44 (01744) 648650
Fax +44 (01744) 648651
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
