tags:

views:

700

answers:

1
+3  Q: 

How to create a secure credit card gateway using paypal / ruby on rails / active merchant.

I am creating a store using Active Merchant and PayPal sandbox right now. It seems to be working fine, but I don't think it is even remotely secure. I don't really know too much about HTTPS and how to implement secure connections.

I am currently passing the credit card and billing information in the session (probably not the smartest idea). My current code is posted below. I really need help with what direction and steps to take in order to make this a secure, usable store.

 def payment
session[:billing_address] = params[:billing_address] 
 end

 def summary
    @credit_card = params[:credit_card]
    session[:credit_card] = params[:credit_card]
    @billing_address = session[:billing_address]
    @cart = get_cart
    @purchases  = @cart.purchases
    @total = @cart.total
 end

 def finish
     @cart = get_cart
     @total = @cart.total

     credit_card = ActiveMerchant::Billing::CreditCard.new( session[:credit_card] )

     billing_address = session[:billing_address]

     flash[:notice] = credit_card.errors and return unless credit_card.valid?

     gateway = ActiveMerchant::Billing::PaypalGateway.new(:login=>$PAYPAL_LOGIN, :password=>$PAYPAL_PASSWORD)

     res = gateway.authorize(@total, credit_card, :ip=>request.remote_ip, :billing_address=>billing_address)

     if res.success?
        gateway.capture(@total, res.authorization)
        flash[:notice] = "Authorized" 
     else
        flash[:notice] = "Failure: " + res.message.to_s
     end    
  end
+7  A: 

There was a good railscast about how to implement ssl.

http://railscasts.com/episodes/143-paypal-security

Dan McNevin  2009-01-18 00:43:06
Okay. But is it alright to pass credit card information to the view in the session. Is that secure enough. Also, how do i make it work with https.
Sam  2009-01-18 21:08:56
If you want to have the whole site run under HTTPS the easiest way would be to run your Rails application using Passenger (http://www.modrails.com/) and then have Apache to use HTTPS for the virtual host that you're running on (http://www.securityfocus.com/infocus/1818)
Dan McNevin  2009-01-19 21:41:26
As to if passing the credit card information using the session. I remember reading that all of the session information is encrypted, which is with it uses the auth key in the forms, but I am not an authority on that area.
Dan McNevin  2009-01-19 21:42:59

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security