Hi, I'm relatively new to Authorize.net, so forgive me if I'm missing something obvious here. I'm currently working on a SIM integration. Everything seems to be working fine, but the loginID I'm using is viewable in the page source (when the page is viewed in a web browser). Is this is a security risk? How would I go about hiding it -- and still submitting the data to Authorize.net? Thanks in advance for any help. Here's my code:
11-03-2010 12:59 PM
That's ok as long as the transaction key is secure. It's kinda like every *nix system has a user called root. We all know it but without the password it's useless to us.
11-03-2010 01:03 PM
I was thinking the same thing about the x_login. The integration manual states very clearly that we should 'share this with noone". I'm wondering why, in that case, it is required to be posted in it's own hidden field, and not just in the hashed field. It makes no sense. I'm assuming that the x_login is INTENDED to be made public in this type of integration, relying on the security of the password alone. They really ought to address this in the integration guide.
05-05-2011 01:15 PM
In order to transfer the end-user to the Authorize.Net hosted payment form certain values must be included: the API Login ID, sequence number, timestamp, amount and the resulting fingerprint hash value that your script generates from these values along with your API Login ID and Transaction Key. Your API Login ID isn't considered to be secure unless it is viewable in conjunction with your Transaction Key.
Thank you,
Elaine
05-09-2011 02:04 PM