Friday, February 11, 2011

ASP.net c# post form on users behalf

I have an ASP button, when it is clicked it calls a function which adds order information into my database. The next step of the order process is to transfer the user over to the payment gateway with this form:

<form action="https://select-test.wp3.rbsworldpay.com/wcc/purchase" name="BuyForm" method="POST">
<input type="hidden" name="instId"  value="151711">
<input type="hidden" name="cartId" value="abc123">
<input type="hidden" name="currency" value="GBP">
<input type="hidden" name="amount"  value="1221">
<input type="hidden" name="desc" value="">
<input type="hidden" name="testMode" value="100">
<input type="submit" value="To Payment!">
</form>

However I really would like it so that the user:

Pressed order button -> Order function called -> User automatically passed to order page

As supposed to:

Pressed order button -> Order function called -> User goes to another page -> User manually clicks button to go to worldpay payment page

Is there anyway in c# to redirect the user to the order page, and submit form data with them?

From stackoverflow Tom Gullen

  • You can use Response.Redirect("OtherPage.aspx"); at the end of your event handler. Using this method, you could append items to the query string (for example the order ID)... Response.Redirect("OtherPage.aspx?OrderID=abcdef");.

    Alternatively, you could do the processing in the order page and list it as the PostbackUrl, so the first page posts back directly to the order page.

    Tim : You can pass a token of some sort on the query string, but the actual ID could leave you open for URL tampering. In either case, such a method would need to be validated on the server based on something that is harder to tamper with (such as a matching Session variable).
    From Richard Fawcett

  • Multiple ways:

    1) Put the order in Session state and carry it along with the user, automatically retrieving it when they are redirected to the final page.

    2) Create a form which submits its data with the new page as the target (rather than posting back to itself as the default behavior in ASP.Net).

    3) Generate a form with hidden fields and output it to the page.

    In situations #2 and #3, you might choose to use client-side script to automatically submit the form.

    From Tim

  • You could redirect from the submit handler of the first order form:

    Response.Redirect("https://select-test.wp3.rbsworldpay.com/wcc/purchase?instId=151711&cartId=abc123&currency=GBP&amount=1221&desc=&testMode=100");

    Note that your form parameters are currently open to tampering, regardless of whether you submit via GET or POST. I'm sure that WorldPay have some security measures that you can use to prevent and/or detect tampering. You should use them!

    Edit...

    WorldPay allow you to submit a hash along with your payment parameters to help prevent tampering. This should stop any amateur querystring tampering; whether it can stop a determined attacker is another matter.

    As you mentioned in the comments, you should definitely log the parameters at your end before submitting and then cross-reference them against the callback data to ensure that nothing has been touched.

    LukeH : @Tim: Already edited before your comment appeared. The security problem exists regardless of whether you use GET or POST: Using GET means that anybody can tamper with the values; using post means that *almost* anybody can tamper with the values.
    Tom Gullen : This will have to do I guess! The gateway makes a callback for verification, so I'll just flag any tampered orders. I was hoping to block any amateur query string attacks though.
    LukeH : @Tim: If you're redirecting to an external site then you need to send that data somehow. I very much doubt that WorldPay would be able to see the session data held on Tom's server.
    LukeH : @Tom: WorldPay allow you to send a hash of the data when you submit to them. That should definitely prevent any amateur attacks. Whether it'll stop a determined expert is another matter. http://www.rbsworldpay.com/support/kb/bg/htmlredirect/rhtml5800.html
    Tim : @Luke - I said I didn't realize it was a 3rd party gateway when I originally responded. I will delete my comments.
    Tom Gullen : @Luke, thanks for the comment, exactly what I was after!
    From LukeH
Posted by Mu Cat at 10:03 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)