tags:

views:

247

answers:

2
Q: 

How can I collect data securely from client web sites

Hi,

I need to provide a code snippet to my clients that they can add to their website, similar to the google analytics code, e.g

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker("UA-xxxxxx-x");
pageTracker._trackPageview();
} catch(err) {}
</script>

but I need it to collect some values from the customers ecommerce site. They would add the code to their site and then we would receive the values and add them to our sql database. They will provide the values either client side or server side depending on the code we give to them.

Can anyone suggest a secure way to do this? The simpler the better as far as the client is concerned.

Thanks for any suggestions.

A: 

Javascript is client-side technology. Because browsers to not allow cross-site scripting, your client would have to host the script so that it has access to the rest of the page. It does of course not have access to the ecommerce application on the server, since it runs on the client. It could concievably make an Ajax request to the ecommerce server to get data, but that means you need to place code on the server that can handle such a request, and it would make sense to do this entirely server-side. I am not sure what kind of information you are trying to collect, but it seems that there is not too much you can collect on the client.

Anyways, your Javascript could then send a request to your own site when it renders in the user's browser, by inserting an invisible image for instance, and pass along information in the query string - which is not secure.

cdonner  2009-02-26 12:40:51
Thanks for this. We are open to client-side or server-side code, we just want it as simple as possible for the client to add. The type of information we would be collecting might be transaction value, id etc.
78lro  2009-02-26 12:59:16
I think you need to tell more about what you are trying to do. There is not really anything else that can be said without understanding the problem.
cdonner  2009-02-26 20:34:37
Okay. When a transaction completes on my clients website I need to collect some data about the transaction. They will need to add the code to their site (which is why it needs to be as simple as possible). It will need to pass the value, transactionid and email address of the buyer. Does that help?
78lro  2009-02-27 09:02:28
This is clearly a server-side component. Javascript will not be helpful. I can't give you advice for implementing this without knowledge of the commerce software that you need to support.
cdonner  2009-02-27 19:48:20
A: 

You are going to need to do it server side. For security reasons, the browser is either not going to allow a post to another site while in an ssl session or provide a really lovely security warning to the user making them feel like they are being hacked.

I would create a webservice on your server and provide the client some sample code to call it from their server.

DancesWithBamboo  2009-02-26 13:57:35
Thanks DancesWithBamboo. Would I be able to do this securely and prevent it from sending through duplicate values i.e. prevent a refresh sending the values again? If they were to send values more than once they could benefit financially in our process :)
78lro  2009-02-26 14:44:50

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security