cancel
Showing results for 
Search instead for 
Did you mean: 

Login ID is viewable in source code in hidden fields?

Hi, I'm relatively new to Authorize.net, so forgive me if I'm missing something obvious here.  I'm currently working on a SIM integration.  Everything seems to be working fine, but the loginID I'm using is viewable in the page source (when the page is viewed in a web browser).  Is this is a security risk?  How would I go about hiding it -- and still submitting the data to Authorize.net?  Thanks in advance for any help.  Here's my code:

 

 

    <?php
      require_once 'anet_php_sdk/AuthorizeNet.php';
      $loginid = "xxxxxxx";
      $x_tran_key = "xxxxxxxx";
      $amount = $_POST["amount"];
      $designation  = "This is a gift towards " . $_POST["designation"];
      $fp_timestamp = time();
      $fp_sequence = "123" . time(); // Enter an invoice or other unique number.
      $fingerprint = AuthorizeNetSIM_Form::getFingerprint($api_login_id,$transaction_key, $amount, $fp_sequence, $fp_timestamp);
    ?>
    <p>Amount: <?php echo $amount; ?></p>
    <p>Desigation: <?php echo $designation; ?></p>
    
    <form method='post' action="https://test.authorize.net/gateway/transact.dll">
      <input type='hidden' name="x_login" value="<?php echo $api_login_id?>" />
      <input type='hidden' name="x_fp_hash" value="<?php echo $fingerprint?>" />
      <input type='hidden' name="x_amount" value="<?php echo $amount?>" />
      <input type='hidden' name="x_description" value="<?php echo $designation ?>" />
      <input type='hidden' name="x_fp_timestamp" value="<?php echo $fp_timestamp?>" />
      <input type='hidden' name="x_fp_sequence" value="<?php echo $fp_sequence?>" />
      <input type='hidden' name="x_version" value="3.1">
      <input type='hidden' name="x_show_form" value="payment_form">
      <input type='hidden' name="x_test_request" value="false" />
      <input type='hidden' name="x_method" value="cc">
      <input type='submit' class="submit" value="Continue to Authorize.net">
    </form>

 

 

slurve
Member
3 REPLIES 3

That's ok as long as the transaction key is secure. It's kinda like every *nix system has a user called root. We all know it but without the password it's useless to us.


-------------------------------------------------------------------------------------------------------------------------------------------
John Conde :: Certified Authorize.Net Developer (Brainyminds) :: Official Authorize.Net Blogger

NEW! Handling Authorize.Net's Webhooks with PHP

Integrate Every Authorize.Net JSON API with One PHP Class (Sample code included)

Tutorials for integrating Authorize.Net with PHP: AIM, ARB, CIM, Silent Post
All About Authorize.Net's Silent Post
stymiee
Expert
Expert

I was thinking the same thing about the x_login.  The integration manual states very clearly that we should 'share this with noone".  I'm wondering why, in that case, it is required to be posted in it's own hidden field, and not just in the hashed field.  It makes no sense.  I'm assuming that the x_login is INTENDED to be made public in this type of integration, relying on the security of the password alone.  They really ought to address this in the integration guide.

In order to transfer the end-user to the Authorize.Net hosted payment form certain values must be included: the API Login ID, sequence number, timestamp, amount and the resulting fingerprint hash value that your script generates from these values along with your API Login ID and Transaction Key. Your API Login ID isn't considered to be secure unless it is viewable in conjunction with your Transaction Key.

 

 

Thank you,

 

Elaine

Elaine
Trusted Contributor
Trusted Contributor