Hi again, I made a point of not using cookies on our gateway..
For the simple reason that you can't guarantee that the user will accept them or that the client is capable of accepting them.. personally I deny any cookie that isn't set to expire within a day of being set. You are correct about often the same techniques being used for spying, its sad that that is the case, but that doesn't mean that ecommerce should stop using them. Wait till paladium hits us.. then it will all be digitally signed and available to M$ and all its advertisers (agreed to via EULA) and the web will suck worse. <quote> I was talking about a different issue. It is true that my stored 'privacy info' is either blank or wrong, but the info I submit is correct. I also selectively accept SESSION cookies to store this info for the transaction. I DON'T accept it if this personal info is coded to stay in my computer until 2025. :-) Wouldn't an encrypted SESSION cookie take care of your concerns, assuming you could get enough user trust to accept it? </quote> How do we validate that it was YOU that submitted that info if you show up as blank in all validation??? Cookies are not safe.. a combination of SSL, server session files and other things are far more secure. having said that, many clients dont' have their own payment gateways and rely on third party servers like the one I worked for. Problem is that they usually have some sort of cart, that links to the payment gateway. which links back to the cart (for receipts/email etc) So, we have HTML/forms that are part of the cart which must be validated by the cart as having been from the cart itself, then we have communication to the gateway (usually SSL by this stage) to be validated, and finially we have the return form the gateway to the cart. (usually not SSL unless they have their own Cert) To make sure all the communication between the users browser, the cart, and the payment gatway is all legit is a difficult task. Also take logging into account. our gateway stores no personally identity info at all, it does log IP address and the exact time of the transaction for some fraud info.. if someone tries funny business we need to know as much about them as possible.. so our gateway does a number of IP tests to ensure that should you be a nasty character, we at least have a starting point to come after you. The point is that if you don't have "some" valid data, we can't allow you to use the gateway because then we'd be opening the doors to all manner of fraud attempts. Right now, if you try using our gateway with any required info blocked, our gateway will redirect you to a page telling you why you can't be allowed to purchase. The web can be a nasty place for online stores.. don't punish the good guys (the ones that don't spam you silly or track you for advertising purposes). (our security was not limited to the above, we also created hashkeys of all form data to be validated at both ends to ensure its not changed and a number of other tests as well.. but nothing is perfect, we just have to do the best we can.) regards Franki
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com