I've got a shopping cart on a few sites where my original code passes the order number on the URL.
Now, my system checks to see if an Order Number is passed on the URL, and if so, checks to see if it's older than 30 minutes old... if it is, I present a message saying it's expired..... In the three years this has been used, I've never gotten a complaint from a client or shopper about the time frame. My problem is this - someone claims they entered the site with a link that had someone else's order number in the URL and that they were able to see that person's personal information and this INCLUDED their credit card info!! Now, first, this can only happen if it's within that 30 minute period but JEEZE LOUISE I can never afford to allow that to happen. Now, I have NO idea how they got that link with that order number, and rather than attempting to figure THAT out, I want to eliminate the Order Number from the URL. The problem is it's in a couple hundred locations on the site. I've read a bunch about session variables, UUIDs, and such, but I'm floundering here trying to figure out how to tap into a UUID process that's generated native to Cold Fusion, rather than me creating the Unique order number by a date/time scramble, then placing that into a cookie THEN replacing the massive number of references on the site in some less than excruciatingly tedious and time consuming way... especially when I factor in multiple sites! Suggestions on best practices here? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm