topic Re: Login ID is viewable in source code in hidden fields? in Integration and Testing

Login ID is viewable in source code in hidden fields?

slurve — Wed, 03 Nov 2010 19:59:07 GMT

Hi, I'm relatively new to Authorize.net, so forgive me if I'm missing something obvious here. I'm currently working on a SIM integration. Everything seems to be working fine, but the loginID I'm using is viewable in the page source (when the page is viewed in a web browser). Is this is a security risk? How would I go about hiding it -- and still submitting the data to Authorize.net? Thanks in advance for any help. Here's my code:

<?php

require_once 'anet_php_sdk/AuthorizeNet.php';

$loginid = "xxxxxxx";

$x_tran_key = "xxxxxxxx";

$amount = $_POST["amount"];

$designation = "This is a gift towards " . $_POST["designation"];

$fp_timestamp = time();

$fp_sequence = "123" . time(); // Enter an invoice or other unique number.

$fingerprint = AuthorizeNetSIM_Form::getFingerprint($api_login_id,$transaction_key, $amount, $fp_sequence, $fp_timestamp);

<p>Amount: <?php echo $amount; ?></p>

<p>Desigation: <?php echo $designation; ?></p>

</form>

Re: Login ID is viewable in source code in hidden fields?

stymiee — Wed, 03 Nov 2010 20:03:41 GMT

That's ok as long as the transaction key is secure. It's kinda like every *nix system has a user called root. We all know it but without the password it's useless to us.

Re: Login ID is viewable in source code in hidden fields?

Norton — Thu, 05 May 2011 20:15:53 GMT

I was thinking the same thing about the x_login. The integration manual states very clearly that we should 'share this with noone". I'm wondering why, in that case, it is required to be posted in it's own hidden field, and not just in the hashed field. It makes no sense. I'm assuming that the x_login is INTENDED to be made public in this type of integration, relying on the security of the password alone. They really ought to address this in the integration guide.

Re: Login ID is viewable in source code in hidden fields?

Elaine — Mon, 09 May 2011 21:04:20 GMT

In order to transfer the end-user to the Authorize.Net hosted payment form certain values must be included: the API Login ID, sequence number, timestamp, amount and the resulting fingerprint hash value that your script generates from these values along with your API Login ID and Transaction Key. Your API Login ID isn't considered to be secure unless it is viewable in conjunction with your Transaction Key.

Thank you,

Elaine