Search

OUR API

API Developer Guides API Reference Sample Code [on GitHub]
SDKs [on GitHub] API Change Log System Change Log
Upgrade Guide

Hello World

Get Started Common Setup Questions How Payments Work
Testing Guide Go-Live Checklist

Support

Get Support News and Announcements Forums
Authorize.Net on GitHub Authorize.Net on Stack Overflow Developer Blog
Response (Error) Codes FAQs Knowledge Base

Sign In

Sandbox Affiliate

Search Developer Site

Integration and Testing

Authorize.Net API questions and help with your payment integration.

Reply
Highlighted
Member
slurve
Posts: 1
Registered: ‎11-03-2010

Login ID is viewable in source code in hidden fields?

‎11-03-2010 12:59 PM

Hi, I'm relatively new to Authorize.net, so forgive me if I'm missing something obvious here.  I'm currently working on a SIM integration.  Everything seems to be working fine, but the loginID I'm using is viewable in the page source (when the page is viewed in a web browser).  Is this is a security risk?  How would I go about hiding it -- and still submitting the data to Authorize.net?  Thanks in advance for any help.  Here's my code:

 

 

    <?php
      require_once 'anet_php_sdk/AuthorizeNet.php';
      $loginid = "xxxxxxx";
      $x_tran_key = "xxxxxxxx";
      $amount = $_POST["amount"];
      $designation  = "This is a gift towards " . $_POST["designation"];
      $fp_timestamp = time();
      $fp_sequence = "123" . time(); // Enter an invoice or other unique number.
      $fingerprint = AuthorizeNetSIM_Form::getFingerprint($api_login_id,$transaction_key, $amount, $fp_sequence, $fp_timestamp);
    ?>
    <p>Amount: <?php echo $amount; ?></p>
    <p>Desigation: <?php echo $designation; ?></p>
    
    <form method='post' action="https://test.authorize.net/gateway/transact.dll">
      <input type='hidden' name="x_login" value="<?php echo $api_login_id?>" />
      <input type='hidden' name="x_fp_hash" value="<?php echo $fingerprint?>" />
      <input type='hidden' name="x_amount" value="<?php echo $amount?>" />
      <input type='hidden' name="x_description" value="<?php echo $designation ?>" />
      <input type='hidden' name="x_fp_timestamp" value="<?php echo $fp_timestamp?>" />
      <input type='hidden' name="x_fp_sequence" value="<?php echo $fp_sequence?>" />
      <input type='hidden' name="x_version" value="3.1">
      <input type='hidden' name="x_show_form" value="payment_form">
      <input type='hidden' name="x_test_request" value="false" />
      <input type='hidden' name="x_method" value="cc">
      <input type='submit' class="submit" value="Continue to Authorize.net">
    </form>

 

 

Message 1 of 4 (75,416 Views)
0 Kudos
Highlighted
stymiee
Posts: 1,476
Topics: 33
Kudos: 34
Solutions: 126
Registered: ‎09-14-2009

Re: Login ID is viewable in source code in hidden fields?

‎11-03-2010 01:03 PM

That's ok as long as the transaction key is secure. It's kinda like every *nix system has a user called root. We all know it but without the password it's useless to us.


-------------------------------------------------------------------------------------------------------------------------------------------
John Conde :: Certified Authorize.Net Developer (Brainyminds) :: Official Authorize.Net Blogger

NEW! Handling Authorize.Net's Webhooks with PHP

Integrate Every Authorize.Net JSON API with One PHP Class (Sample code included)

Tutorials for integrating Authorize.Net with PHP: AIM, ARB, CIM, Silent Post
All About Authorize.Net's Silent Post
Message 2 of 4 (75,414 Views)
0 Kudos
Highlighted
Member
Norton
Posts: 3
Registered: ‎04-25-2011

Re: Login ID is viewable in source code in hidden fields?

‎05-05-2011 01:15 PM

I was thinking the same thing about the x_login.  The integration manual states very clearly that we should 'share this with noone".  I'm wondering why, in that case, it is required to be posted in it's own hidden field, and not just in the hashed field.  It makes no sense.  I'm assuming that the x_login is INTENDED to be made public in this type of integration, relying on the security of the password alone.  They really ought to address this in the integration guide.

Message 3 of 4 (75,129 Views)
0 Kudos
Highlighted
Trusted Contributor
Trusted Contributor
Elaine
Posts: 451
Registered: ‎08-21-2009

Re: Login ID is viewable in source code in hidden fields?

‎05-09-2011 02:04 PM

In order to transfer the end-user to the Authorize.Net hosted payment form certain values must be included: the API Login ID, sequence number, timestamp, amount and the resulting fingerprint hash value that your script generates from these values along with your API Login ID and Transaction Key. Your API Login ID isn't considered to be secure unless it is viewable in conjunction with your Transaction Key.

 

 

Thank you,

 

Elaine

Message 4 of 4 (75,112 Views)
0 Kudos