developer.authorize.net developer.cybersource.com
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a question

Passing response code via JavaScript

Just looking for some advice on best practices for passing the response code from Authorize.net's .dll response to my page via JavaScript.

 

I'll need to update payment status on my end depending on that response code, so I'm a little leary of just passing it via query string.

 

Theoretically someone could just modify the query string and update their status without paying.

 

What's considered best practice here? Do you encode the query vars somehow?

VFHwebdev145
Member

‎02-11-2014 08:44 AM

0 Kudos
4 REPLIES 4

Here my 2 cents, when authorize.net call your relay response page, saved all the response post data you need to your database.

 

Then, on the relay page, do a javascript script redirect to your website order confirmation page with a unique key(transactionID from the transaction plus order number? incase the transaction fail without returning a transactionID) on the url that is not sequential, that you can use to recall the info that your saved on the relay response url page.

 

FYI, can't use the sessionid because the relay page is running on authorize.net. the sessionid on your website would be different.

RaynorC1emen7
Expert

‎02-11-2014 08:59 AM

0 Kudos

Unfortunately that won't work. I'm working with a third party content management system and I need some php libraries to be present before processing the response code so that I can interact with the CMS. Because I can't load the libraries into the relay response page, I have to redirect and pass along the data first.

VFHwebdev145
Member
In response to RaynorC1emen7

‎02-11-2014 09:15 AM

0 Kudos

Other suggestion would be to check for error(no transactionID) on the relay response page. If there is a transctionID then pass that with the javascript redirect, then use http://developer.authorize.net/api/transaction_details/ to get the response info.

RaynorC1emen7
Expert
In response to VFHwebdev145

‎02-11-2014 09:31 AM

0 Kudos

Right, that's not really my question. So I check for a $_POST of response code on my relay response page. If it's there I use JavaScript to go to mypage.php?response=1 (or whatever the response code is and pass along a few other variables in the query string).

 

On mypage.php I read the query string and update the payment status on my end. What's to stop a savvy user from manipulating the query string on mypage.php manually and changing their paymentstatus?

 

Granted it's not likely, but there are some savvy hackers out there. And the possibilty makes me nervous.

 

So I'm wondering if anyone else is somehow masking or encrypting their querystring params. Or are you using some completely different means to pass this sort of data?

VFHwebdev145
Member
In response to RaynorC1emen7

‎02-11-2014 10:51 AM

0 Kudos
Copyright © 2024 Khoros, LLC