developer.authorize.net developer.cybersource.com
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a question

Login ID is viewable in source code in hidden fields?

Hi, I'm relatively new to Authorize.net, so forgive me if I'm missing something obvious here.  I'm currently working on a SIM integration.  Everything seems to be working fine, but the loginID I'm using is viewable in the page source (when the page is viewed in a web browser).  Is this is a security risk?  How would I go about hiding it -- and still submitting the data to Authorize.net?  Thanks in advance for any help.  Here's my code:

 

 

    <?php
      require_once 'anet_php_sdk/AuthorizeNet.php';
      $loginid = "xxxxxxx";
      $x_tran_key = "xxxxxxxx";
      $amount = $_POST["amount"];
      $designation  = "This is a gift towards " . $_POST["designation"];
      $fp_timestamp = time();
      $fp_sequence = "123" . time(); // Enter an invoice or other unique number.
      $fingerprint = AuthorizeNetSIM_Form::getFingerprint($api_login_id,$transaction_key, $amount, $fp_sequence, $fp_timestamp);
    ?>
    <p>Amount: <?php echo $amount; ?></p>
    <p>Desigation: <?php echo $designation; ?></p>
    
    <form method='post' action="https://test.authorize.net/gateway/transact.dll">
      <input type='hidden' name="x_login" value="<?php echo $api_login_id?>" />
      <input type='hidden' name="x_fp_hash" value="<?php echo $fingerprint?>" />
      <input type='hidden' name="x_amount" value="<?php echo $amount?>" />
      <input type='hidden' name="x_description" value="<?php echo $designation ?>" />
      <input type='hidden' name="x_fp_timestamp" value="<?php echo $fp_timestamp?>" />
      <input type='hidden' name="x_fp_sequence" value="<?php echo $fp_sequence?>" />
      <input type='hidden' name="x_version" value="3.1">
      <input type='hidden' name="x_show_form" value="payment_form">
      <input type='hidden' name="x_test_request" value="false" />
      <input type='hidden' name="x_method" value="cc">
      <input type='submit' class="submit" value="Continue to Authorize.net">
    </form>

 

 

slurve
Member

‎11-03-2010 12:59 PM

0 Kudos
Reply
3 REPLIES 3

That's ok as long as the transaction key is secure. It's kinda like every *nix system has a user called root. We all know it but without the password it's useless to us.


-------------------------------------------------------------------------------------------------------------------------------------------
John Conde :: Certified Authorize.Net Developer (Brainyminds) :: Official Authorize.Net Blogger

NEW! Handling Authorize.Net's Webhooks with PHP

Integrate Every Authorize.Net JSON API with One PHP Class (Sample code included)

Tutorials for integrating Authorize.Net with PHP: AIM, ARB, CIM, Silent Post
All About Authorize.Net's Silent Post
stymiee
Expert
Expert

‎11-03-2010 01:03 PM

0 Kudos
Reply

I was thinking the same thing about the x_login.  The integration manual states very clearly that we should 'share this with noone".  I'm wondering why, in that case, it is required to be posted in it's own hidden field, and not just in the hashed field.  It makes no sense.  I'm assuming that the x_login is INTENDED to be made public in this type of integration, relying on the security of the password alone.  They really ought to address this in the integration guide.

Norton
Member
In response to stymiee

‎05-05-2011 01:15 PM

0 Kudos
Reply

In order to transfer the end-user to the Authorize.Net hosted payment form certain values must be included: the API Login ID, sequence number, timestamp, amount and the resulting fingerprint hash value that your script generates from these values along with your API Login ID and Transaction Key. Your API Login ID isn't considered to be secure unless it is viewable in conjunction with your Transaction Key.

 

 

Thank you,

 

Elaine

Elaine
Trusted Contributor
Trusted Contributor
In response to Norton

‎05-09-2011 02:04 PM

0 Kudos
Reply
Copyright © 2025 Khoros, LLC
Top