Reply
Highlighted
Member
Posts: 7
Registered: ‎02-10-2014

Passing response code via JavaScript

Just looking for some advice on best practices for passing the response code from Authorize.net's .dll response to my page via JavaScript.

 

I'll need to update payment status on my end depending on that response code, so I'm a little leary of just passing it via query string.

 

Theoretically someone could just modify the query string and update their status without paying.

 

What's considered best practice here? Do you encode the query vars somehow?

Highlighted
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Passing response code via JavaScript

Here my 2 cents, when authorize.net call your relay response page, saved all the response post data you need to your database.

 

Then, on the relay page, do a javascript script redirect to your website order confirmation page with a unique key(transactionID from the transaction plus order number? incase the transaction fail without returning a transactionID) on the url that is not sequential, that you can use to recall the info that your saved on the relay response url page.

 

FYI, can't use the sessionid because the relay page is running on authorize.net. the sessionid on your website would be different.

Highlighted
Member
Posts: 7
Registered: ‎02-10-2014

Re: Passing response code via JavaScript

Unfortunately that won't work. I'm working with a third party content management system and I need some php libraries to be present before processing the response code so that I can interact with the CMS. Because I can't load the libraries into the relay response page, I have to redirect and pass along the data first.

Highlighted
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Passing response code via JavaScript

Other suggestion would be to check for error(no transactionID) on the relay response page. If there is a transctionID then pass that with the javascript redirect, then use http://developer.authorize.net/api/transaction_details/ to get the response info.

Highlighted
Member
Posts: 7
Registered: ‎02-10-2014

Re: Passing response code via JavaScript

Right, that's not really my question. So I check for a $_POST of response code on my relay response page. If it's there I use JavaScript to go to mypage.php?response=1 (or whatever the response code is and pass along a few other variables in the query string).

 

On mypage.php I read the query string and update the payment status on my end. What's to stop a savvy user from manipulating the query string on mypage.php manually and changing their paymentstatus?

 

Granted it's not likely, but there are some savvy hackers out there. And the possibilty makes me nervous.

 

So I'm wondering if anyone else is somehow masking or encrypting their querystring params. Or are you using some completely different means to pass this sort of data?