I am currently building an ecommerce site with PHP/MySQL. Recently, I have been working on the Shopping Cart integration. The client wanted to ensure that stock was available to potential buyers, so I created a stock management system. The shopping cart works as follows:
While researching one site, I found that if you enter document.cookie (Firefox) I can see this filed in cookie _gat_gtag_UA_XXXXXXXXX_1=1. There were plain text. As I know gtag is for Google Tag Manager. I was using Google Analytics and Google Tag Manager in my projects too. So, isn’t is insecure to show such data as Google Tags or Google Analytics IDs as a plain text?
So this approach seems to be rather popular, particularly among payment processors that provide javascript integrations.
My understanding of Post-Redirect-Get so far is not very deep. I’ve used it a couple of times now. What I notice, though, is that when I use it, I am sending a rather private token of some sort to the last page in the GET request. It is a token that allows the server to respond with information about the just-completed transaction. The way I’m using it is:
An e-commerce site should reserve products for a user while they’re going through the payment process (more info). This creates a potential denial-of-service risk where an attacker could reserve many products and never complete payment – reserving all the stock and preventing legitimate sales.
Let’s say I want to charge a user’s credit card with their permission after a sale takes place. But, I don’t want to have to ask them their credit card a second time.
My company ships very large, very heavy products to the homes of everyday consumers (think big home renovation materials). Currently, we provide the customer’s name, shipping address, and phone number to the factory. The factory then provides that information to a freight company who will then provides it to a final-mile delivery company.
I’m developing payment extensions for multiple php based eCommerce platforms for a company that has their own payment processor (they just take post request; do couple checks and process it toward a real payment gateway).
I was doing a Cyber Security and IT audit for a company.
… can (and will) accumulate large parts of our customer database.