how to make sure POST data comes from specific domain? | ansaurus

tags:

views:

34

answers:

2

Q:

how to make sure POST data comes from specific domain?

I have a page confirm_payment.php receiving POST data from other pages. How can I make sure this POST data comes only from one specific domain?

I cannot rely on IP addresses as in my case this might change. I want to avoid "fake" submissions to my confirm_payment.php server side code.

Without going into details this is to make sure that my page receives confirmation from payment gateway hosted page and confirmation is genuine.

+1 A:

John Conde had a great explanation on how to solve your problem at: http://stackoverflow.com/questions/3251293/sending-data-to-payment-gateway-and-back-possible-problems/3255907#3255907

If you need more information, please go back to your original question.

Chris Lively 2010-07-28 00:32:30

please let me know if I am missing something but isn't is still unsecure as when user redirected to payment gateway page still can easily look up hidden input fields, create own form with those fields and submit it back to my page? This variables usually are clearly shown as hidden input fields as far as I know, at least in case of eWay (http://www.eway.com.au/Developer/eway-api/shared-payment-solution.aspx). I'm guessing its the case with other payment gateways too. Any other options you can think of?

spirytus 2010-07-28 00:37:54

@spirytus: If eWay is putting ALL of the data you pass to them in a hidden input field on their side (including the unique id's) then you need to move to a different gateway. That's not how anyone else does it.

Chris Lively 2010-07-28 00:52:24

A:

You should have your server generate a nonce (number used once) that gets posted, and validated (since your server generated this number it can determine genuine posts)

Pierreten 2010-07-28 00:34:26

related questions

static variables in an inlined function

Your preferred C/C++ header policy for big projects?

What do I need for a compliant email header

Precedence: header in email

What is the preferred way to redirect a request in Pylons without losing form data?

Tool for adding license headers to source files?

How to order headers in .NET C++ projects

PHP: Current encoding used to send data to the browser

Decode an UTF8 email header

How to show data in the header of SSRS 2005 MULTIPAGE report?

Adding headers to mail coming via exim4

Adding custom headers

Tool for identifying superfluous header files in c++

Reuse define statement from .h file in C# code

Best resources for converting C/C++ dll headers to Delphi?

Tools for finding unused function declarations?

Parsing HTTP Headers

How should I detect unnecessary #include files in a large C++ project?

How to set the header sort glyph in a .NET ListView?

Other file doesn't recognizes other file's class C++

How do I show data in the header of a SQL 2005 Reporting Services report?

Easiest way to add a Header and Footer to a Printing.PrintDocument (.Net 2.0)?

Organization of C files

Tool to track #include dependencies

HTTP: Generating ETag Header