topic Re: Passing response code via JavaScript in Integration and Testing

Passing response code via JavaScript

VFHwebdev145 — Tue, 11 Feb 2014 16:44:52 GMT

Just looking for some advice on best practices for passing the response code from Authorize.net's .dll response to my page via JavaScript.

I'll need to update payment status on my end depending on that response code, so I'm a little leary of just passing it via query string.

Theoretically someone could just modify the query string and update their status without paying.

What's considered best practice here? Do you encode the query vars somehow?

Re: Passing response code via JavaScript

RaynorC1emen7 — Tue, 11 Feb 2014 16:59:35 GMT

Here my 2 cents, when authorize.net call your relay response page, saved all the response post data you need to your database.

Then, on the relay page, do a javascript script redirect to your website order confirmation page with a unique key(transactionID from the transaction plus order number? incase the transaction fail without returning a transactionID) on the url that is not sequential, that you can use to recall the info that your saved on the relay response url page.

FYI, can't use the sessionid because the relay page is running on authorize.net. the sessionid on your website would be different.

Re: Passing response code via JavaScript

VFHwebdev145 — Tue, 11 Feb 2014 17:15:26 GMT

Unfortunately that won't work. I'm working with a third party content management system and I need some php libraries to be present before processing the response code so that I can interact with the CMS. Because I can't load the libraries into the relay response page, I have to redirect and pass along the data first.

Re: Passing response code via JavaScript

RaynorC1emen7 — Tue, 11 Feb 2014 17:31:01 GMT

Other suggestion would be to check for error(no transactionID) on the relay response page. If there is a transctionID then pass that with the javascript redirect, then use http://developer.authorize.net/api/transaction_details/ to get the response info.

Re: Passing response code via JavaScript

VFHwebdev145 — Tue, 11 Feb 2014 18:51:14 GMT

Right, that's not really my question. So I check for a $_POST of response code on my relay response page. If it's there I use JavaScript to go to mypage.php?response=1 (or whatever the response code is and pass along a few other variables in the query string).

On mypage.php I read the query string and update the payment status on my end. What's to stop a savvy user from manipulating the query string on mypage.php manually and changing their paymentstatus?

Granted it's not likely, but there are some savvy hackers out there. And the possibilty makes me nervous.

So I'm wondering if anyone else is somehow masking or encrypting their querystring params. Or are you using some completely different means to pass this sort of data?