setting up for 'secure' transactions 1

[leadman]

Hi all,
I realize this may be a big subject. Id appreciate any clues or places to look for more answers:

Im developing a shopping cart. It collects all the data that needs to be sent to the credit card authorization service (in a form that posts to their https address). In their documentation it says that their system will not accept any HTTP connections that arent encrypted using a Secure Socket Layer ... it says "your server must be able to make a client side SSL connection to our gateway server ... Additionally, your server will need to support server side SSL for any HTTP POST requests that our server makes to return information to the merchant (your) server".

My host mentioned that <cfhttp> supports SSL, and that in order for them to post securely to my site i will need a digital certificate. I have no idea how to implement the former or what the later is!
Any help or direction is greatly appreciated

 

[JHoarty]

Let's start with the digital certificate. This is basically a piece of code that acts as your &quot;public key&quot; and serves to encrypt data that is passed between your server (

http://www.yourdomain.com)

and the client browser when the URL has an &quot;s&quot; appended to the protocol (http). So, when the client (a shopper at your store) goes to checkout, you will have used an &quot;https&quot; URL, thus invoking encryption between your domain and their browser. It's the digital certificate that both enables the encryption to happen, and also verifies to the client's browser that the server belongs to the domain they are at. That is, they are sending their data to the people they think they are sending it to, and those people are a &quot;certified&quot; business in some sense.

Now, cfhttp is a great way to send data to your gateway. You might, for example, use:

<cfhttp url=&quot;

https://payflowlink.verisign.com/payflowlink.cfm&quot;

method=&quot;post&quot;>

<cfhttpparam type=&quot;formfield&quot; name=&quot;CUSTID&quot; value=&quot;&quot;>
<cfhttpparam type=&quot;formfield&quot; name=&quot;LOGIN&quot; value=&quot;#form.login#&quot;>
<cfhttpparam type=&quot;formfield&quot; name=&quot;NAME&quot; value=&quot;#form.name#&quot;>
<cfhttpparam type=&quot;formfield&quot; name=&quot;PHONE&quot; value=&quot;#form.phone#&quot;>
<cfhttpparam type=&quot;formfield&quot; name=&quot;EMAIL&quot; value=&quot;#form.email#&quot;>
<cfhttpparam type=&quot;formfield&quot; name=&quot;ADDRESS&quot; value=&quot;#form.address#&quot;>

...

</cfhttp>

Hope this helps
John Hoarty
jhoarty@quickestore.com

http://www.quickestore.com

 

[leadman]

thank you, im clear on the certificate. But need more info on cfhttp. I see it can have a post method like a form. But there is no submit button, so when does it send the parameters to the gateway?

 

[JHoarty]

Right, it just posts upon invocation. So, you'd pass the form parameters in my example to a web page containing my sample code, and that page would automatically post to the payment processor.

Then the payment processor returns certain information based on your post. That info is contained in the variable,
#CFHTTP.FileContent#, so could be viewed using:

<cfoutput>
#CFHTTP.FileContent#
</cfoutput> John Hoarty
jhoarty@quickestore.com

http://www.quickestore.com

 

[leadman]

great. and the return is secure if i give the gateway an https address to return the info to? - and the info that s returned to me is automatically set in #CFHTTP.FileContent#?

 

[JHoarty]

Right and right. You should play around with FileContent. You may have to parse that puppy to get the info you are after. That is, it could be a comma-delimited list or a form, depends on what they send you. Consult documentation for the specifics. Good luck! John Hoarty
jhoarty@quickestore.com

http://www.quickestore.com

 

[leadman]

thank you! that was very helpful.