3 Replies Latest reply: Jul 8, 2012 10:04 PM by Jackson Palmer RSS

    Seamless Payment forms security problem + Workaround [updated]

    Liam Dilley CommunityMVP
    Liam Dilley Jul 8, 2012 9:57 PM

      tHey all,

      I think this one is important to make sure folk are aware of if you are not already. I have a tempory sollution here as well for you and also what I have asked as a possible sollution for the BC team.

       

      You very well may have a seamless payment gateway and a few forms on sites using that to take payments. You very likely properly making sure all links to that page are https and under worldsecuresystems.

       

      There are several issues with this in terms of security and one you probably not considered if you know the others.

       

      1. If your client or yourself forgets to update links to that secure page from a non secure version of the page. If you add the page to content via custom links it will be unsecure.

       

      2. Google will come across the page and it will be the http unsecure page.

       

      3. One you may not realise is that if you have a site search and the page with the form shows up - It will be a url of something like - default.aspx?...... And lots of paramater values like Page ID.

      Problem with this is it is also not secure.

       

      I have dropped a messge to the engineers about this, considering recent focus on tighting of security aspects of BC I consider the ability to get to an unsecure version of a page which should be a secure URL is one that needs to be addressed.

       

      I suggested that there should be a tick box on the page in the admin that says something like "https url" or something which will create a perminant redirect to the worldsecuresystems URL.

      If your thinking "use the 301 redirect field" - You will get a redirect error because it is secure external, it wont work.

       

      So what to do till BC does soemthing?

       

      I made this function and call it in the manner below:

       

      function securePageRedirect() {

      //current url check
      var secure = (window.location.protocol === 'https:');
      // if page function runs on is not https.
      if ( secure == false) {
           //log the path of url
           var currentURLPath = window.location.pathname;
           // redirect
           if ( currentURLPath.indexOf("Default.aspx")   ) {
               var getParams = location.search;
               window.location = website.secure_url+currentURLPath+getParams;
          }
          else {
               window.location = website.secure_url+currentURLPath;          
          }
      }
 }

      Then when you call this function:

       

      With jQuery in mind

       

      if ( $(".seamlessPaymentForm").length ) { securePageRedirect(); }

       

      What This will do is only run it if you have that class on the page. So where do you put it? Put it as a class on your form itself, then you know that when you call the form it will be secure.


      So what will happen?

       

      Here is an example: http://www.laidlaw.ac.nz/en/news-and-events/alumni-gathering-registration

      This is a non secure version of this page but when it finishes loading you will see it redirects to the https version of the url

       

      Update: Updated the code to properly work with search and Default.aspx

      • 736 Views
      • Tags: