将数据发送到支付网关并返回 - 可能出现的问题 [英] sending data to payment gateway and back - possible problems
问题描述
我将使用其中一个支付网关,因此来自我站点的用户将被重定向到网关托管页面以提供所有 CC 详细信息.网关将返回结果到我指定的页面(我们称之为paymentProcessed.php).但现在我担心的是:
I'm going to use one of the payment gateways and so users from my site will be redirected to gateway hosted page to provide all the CC details. Gateway will return results to the page which I specify (lets call it paymentProcessed.php). But now my worry is that:
有人可能会伪造它.我的意思是有人可能会被重定向到支付网关,然后将结果返回到我的网站 paymentProcessed.php 页面,并确认所有已支付.此确认将由用户自己通过正常的 POST 发送,然后我的站点将向用户交付产品,尽管实际上没有完成付款.避免这种情况的常见做法是什么?
someone might fake it. What I mean is that someone might be redirected to payment gateway, then instead of paying, will return results to my site paymentProcessed.php page with confirmation that all has been payed. This confirmation will be send by the user itself via normal POST, and my site then will deliver products to the user although there was no actually payment done. What is the common practice to avoid this kind of situation?
有人被重定向到网关托管页面,付款,重定向回我的网站,他登录的会话已过期.通常我依靠会话来查看是否应该允许用户访问网站的某些部分,但是现在我是否需要对确认页面进行其他类型的检查?现在我正在考虑在数据库中存储订单 ID 和随机生成的值,当用户重定向时将其传递给网关(与总数一起,总数将传递到网关然后返回,以便我可以确认支付了适当的金额).然后,当确认与订单 id 一起出现时,我随机生成的值(和总计)而不是像我通常对普通购物车页面那样依赖会话,我应该使用匹配的订单 id 来检查此值并根据需要更改订单状态.处理此类问题的常见做法是什么?
Someone is redirected to gateway hosted page, pays, redirects back to my site and session he was logged in with has expired. Usually I rely on sessions to see if user should be allowed access to certain parts of the site, but now do I need to implement some other sort of check for confirmation page? For now I was thinking of storing order id and randomly generated value in database, when user redirected pass it to gateway (together with total, total would be passed to gateway and then back so I could confirm that proper amount was paid). Then when confirmation comes together with order id, my randomly generated value (and total) instead of relying on session like I usually do for normal shopping cart pages, I should check this value with matching order id and change status of order as needed. What is the common practice to deal with that kind of problem?
我还应该考虑哪些其他可能的问题?
What other possible issues I should think about?
我试图尽可能清楚地解释,我希望以上所有内容都有意义.如果我需要澄清一些事情,请告诉我.顺便说一句,我在 php/mysql 中编码
I tried to explain as clearly as possible and I hope all above makes sense. please let me know if I need to clarify something though. btw I code in php/mysql
推荐答案
它实际上比您意识到的更容易、更安全.使用托管支付页面时,例如 Authorize.Net 的 SIM API,某种散列包含只有您和处理器知道的.不可能伪造,因为生成它需要只有您和处理器拥有的私人信息.因此,您需要做的就是验证支付处理器发送到您的退货页面的哈希是否与您为交易所拥有的哈希相匹配.如果是这样,您就可以 100% 确定交易没有被欺骗.
It's actually easier and more secure then you realize. When using a hosted payment page, like Authorize.Net's SIM API, a hash of some sort is included that only you and the processor know about. It is impossible to fake as generating it requires private information only you and the processor have. So all you need to do is verify that the hash sent to your return page by the payment processor matches the one you have for the transaction. If it does, you can be 100% sure the transaction has not been spoofed.
会话的持续时间往往比访问远程结帐表所需的时间更长,并且即使用户离开您的站点,会话也会持续.但是,如果您担心会话在返回到您的站点之前过期,只需将会话信息存储在数据库中并使用 cookie 来跟踪用户.然后,当他们回来时,使用 cookie 来识别他们并从您的数据库中检索他们的会话信息.
Sessions tend to last longer then a trip to a remotely checkout form usually takes to complete and the session does last even though a user leaves your site. But, if you are concerned about a session expiring before they return to your site, simply store the session information in a database and use a cookie to track the user. Then when they come back use the cookie to identify them and retrieve their session information from your database.
更新:
以下是使用 PHP 延长会话 cookie 时间的方法:
Here's how you can make your session cookie last longer with PHP:
// Makes the cookie last two hours. Make it a higher number to last longer.
session_set_cookie_params(7200);
session_start();
这篇关于将数据发送到支付网关并返回 - 可能出现的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
