Our app relies on 3rd party payment services to handle credit card processing. Our typical approach for handling those calls is to populate a web form with hidden vars containing the required data and write the page to the response stream, using javascript to automatically submit the form to the remote site.
The problem is that one of these services requires authentication keys to be submitted in plain text. This is a security issue since it's possible to intercept the launching page while the script is being executed, so I need an alternate method.
My first thought was to use wwHTTP to populate the POST fields and submit the page. But that all happens on the server side - I don't know how to actually redirect the user to the payment site. If I use Response.Redirect() I see no way to send the POST vars.
I've been told that I can do this using cURL and am looking into it - wondered if anyone has an alternate suggestion.
--stein
Native HTTP Redirects cannot be POST. They have to be GET requests.
Now if you're using wwHTTP you can explicitly take over the redirects by turning off automatic redirect handling, and then look for the 301 or 302 requests, capture the URL and then and then issue a POST to that URL explicit.
+++ Rick ---
If wwHTTP can explicitly take over redirects, that would seem to be the ideal solution - but I can't figure out how to apply your suggestions to my situation (due, I'm sure, to my limited grasp of the underlying technologies).
Let me set up a trivial example for purposes of this discussion. I want to the user to end up on this site: https://www.acewareuniversity.com/wconnect/CourseStatus.awp
But a plain redirect triggers a "missing course code" message -- I need to have that code in the POST buffer. I can get the desired response with the following code:
SET PROCEDURE TO wwhttp ADDITIVE
loHTTP = CREATEOBJECT([wwHTTP])
lcURL = [https://acewareuniversity.com/CourseStatus.awp]
loHttp.Addpostkey("txtCourse","20SART101A")
loHTTP.cHTTPVerb = [POST]
lcResult = loHTTP.Httpget(lcURL)
Response.write(lcResult)
But that just displays the result to the user without redirecting - they are still sitting on my local site. I need them to end up with the acewareuniversity.com link in their address bar. Is that possible?
--stein
First off - if this is a site that you control, why don't you change the logic so that it can accept a Query String value as well? Make it so you can pass:
https://acewareuniversity.com/CourseStatus.awp?courseid=1234
then handle that in the application. That will allow you to capture the code and forward it to the other site when you redirect.
I looked at that URL above but it doesn't redirect, so I can't really see what you're trying to do.
+++ Rick ---
I was just using that address for demonstration purposes. The actual site is a payment service at convergepay.com which of course I have no control over.
I need to direct the user to the convergepay site AND send post data in the same operation.
Is it possible to do that with wwHTTP?
--stein
Yes you can but my question is why.
If you know that the site is redirecting, why not just look and see what the redirect URL is and go directly to the redirected URL and POST the data there? IOW, instead of POSTing to the original URL post to the redirected URL directly. That's what you would be doing with redirect interception anyway.
+++ Rick ---
You mean create a form something like this?
<form action="www.convergepay.com\paymentservice" method="POST" name="AutoForm">
<input type="hidden" name="ssl_merchant_ID" value="#########" />
<input type="hidden" name="ssl_user_ID" value="#########" />
<input type="hidden" name="ssl_pin" value="########" />
<input type="hidden" name="ssl_transaction_type" value="CCSALE" />
<input type="hidden" name="ssl_show_form" value="true" />
<input type="hidden" name="ssl_amount" value="99.99" />
<input type="submit" value="Click Here To Pay">
</form>
That's how we've been doing it for the past several years. The problem is that some of the fields (ssl_pin, etc) contain sensitive data that could potentially be exposed. As it is now, we include javascript that auto-submits the form, but if a user is very quick they can intercept it and thus view the field contents. This is concerning to our client and they have asked us to close the loophole.
There may be a way to populate and submit the above form without leaving the fields open, but I don't know how to do it. But if I could post directly to the service using wwHTTP, it would all happen on the server side with no chance for the end user to hijack the information.
I'm happy to use whatever method is most expedient, as long as it gets the POST done while resolving the security issue.
--stein
No that's not what I meant, although if that works that would be the ideal solution.
But if you capture the original form on your site you can capture the input data, then repost it to the remote server form with wwHttp (if it's a single post anyway), capture the remote's output and return that back as a the HTTP response to the original request.
However that'll only really work if the remote form doesn't have all sorts of other things associated with it like security, cookies etc. required to fill the form.
If the input form is not on your site, then you're out of luck because you won't be able to forward the POST data. The protocol just doesn't support nor should it - it'd be a huge security risk.
I'm not sure I actually understand the flow you're trying to build, but offhand I'm guessing that what you're trying to do won't work due to the limitations mentioned above.
+++ Rick ---
However that'll only really work if the remote form doesn't have all sorts of other things associated with it like security, cookies etc. required to fill the form.
Well, the remote site is going to collect their credit card info so one would expect them to have significant security measures in place.
Looks like I will need to find another way to accomplish what I need to do...
--stein