• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

POST and redirect for payment system

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    POST and redirect for payment system

    I am writing a bolt-on which web developers at clientco will be able use to process payments through MPP's iPayment system.

    The protocol calls for a POST to an MPP URL, which then runs the user through the usual type of payment screens (credit card type, etc) and eventually POSTs back a yay or nay.

    However, the data in the initial POST request includes no verification hash. So if I use a client-side redirect then in principle it is wide open to malicious tinkering at the client end before being passed on.

    But if I do a server-side redirect, how will the user's browser know?

    I'm sure I've had this problem before, but I forget how I solved it (if indeed I did).

    I'm tempted just to go with the client-side redirect, because in practice nothing bad would probably happen. But this does involve money, and it is a clientco project. So I'd rather be professional about it, or at least alert the client if there is a chink in the armour, however slight.

    None of the above is intended as any criticism of MPP - I only started on this mini-project today, and may have missed some aspect that makes the process completely secure.
    Work in the public sector? Read the IR35 FAQ here

Working...
X