topic Re: How to authenticate response of accept hosted form checkout in Integration and Testing

How to authenticate response of accept hosted form checkout

raviparmarce88 — Tue, 18 Jul 2017 17:53:04 GMT

I am using accept hosted payment form in iFrame.

I have question regarding to response of iFrame payment checkout process.

If some craft the same dummy response that authorize.net sending and pass that to our server then how can we authenticate that the response is the valid,original and it is against the same transaction for which token is generated.

In short is there anyway to authenticate the response is valid/not crafted/not modified and it is against that tranasction only for which we have generated token ?

Can anyone please let me know what is best practices of authenicate transaction response coming from authorize.net of iFrame checkout process ?

Note: I have tried with getTransactionDetail api with the help of transactionID coming in checkout response but what if that tranaction id is crafted or some get tranaction id and frequently use the same transaction id ?

Re: How to authenticate response of accept hosted form checkout

RichardH — Tue, 18 Jul 2017 18:19:17 GMT

Hello @raviparmarce88

Using getTransactionDetails is the correct method to confirm transaction details. All transaction IDs are unique and are associated to a specific gateway account. Because getTransactionDetails is server to server, you can be certain the information is secure and up to date.

Richard

Re: How to authenticate response of accept hosted form checkout

raviparmarce88 — Tue, 18 Jul 2017 18:44:41 GMT

@RichardH

Thanks for quick response.

Here I have a point.

If someone capture a real transction ID from the checkout response of iFrame.

Now again that person use the same transction id and craft the dummy response, place that same transaction id in that respone and send that response to our server(merchant's server) then in this case also getTransactionDetails would mark this as a valid one even it is not real respone coming from authoriz.net and crafted by someone else.

Here to overcome this I have used combination of both transaction id and submittime but again that same situation comes to my mind and that solution also failed.

Is there any best practice to ensure initial session is same as return confirmation from iFrame session. Just matching transaction ID and timestamp does not ensure same session

Hope you got my point...

Re: How to authenticate response of accept hosted form checkout

RichardH — Tue, 18 Jul 2017 19:32:11 GMT

Hello @raviparmarce88

We currently don't have a mechanism as you suggest to confirm the session, but I can see how that might be useful. Besides using getTransactionDetails, you could also confirm using a Webhook.

You are welcome to post this as a new feature using our Ideas forum. This will allow others to vote on and make suggestions to improve the request.

Richard

Re: How to authenticate response of accept hosted form checkout

raviparmarce88 — Wed, 19 Jul 2017 06:24:30 GMT

Thank you @RichardH,

I don't think webhook could be helpful in this, because what I understood from webhook document it is used for notification purpose. With it there is no way to identify or map the which webhook notification is for which order of our system because of nature of our applicaiton.

Also I found that there is no guarantee on timly execution of webhook. So, we cant use webhooks.