Thanks Scott - In my case the only thing that will happen on the IIS side is to show a "Thank you page" The user is not going to get anything shipped or purchased. The iSeries side puts the request in the database and issues a notification to the office that needs to process the request and actually charge the card and "ship" the sale. Someone faking a "Thank you" page is not a big concern.

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Scott Klement
Sent: Thursday, April 29, 2010 1:55 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] How would I do a paypal type redirect using RPG CGI?

The easiest way would be for the RPG to output something like this:

Status: 302
Location: http://youriisserver.com/whatever?amount=1234.56&valid=1

That would cause the browser to redirect to the new URI, and pass the
parameters to it. Easy enough. But, I'd be concerned about security.
The user could just as easily key this data into the browser's URI and
bypass your credit card check.

A better solution is to have some separate (probably non-HTTP)
communication between the i and the Windows server. Something that
would be impossible for an outsider to fake. Perhaps use the Location:
keyword to redirect and run a program/script on the IIS server. Have
that program connect back to the i using an SSL connection protected by
certificates, pass the customer info and verify that the transaction was
successful.


On 4/29/2010 12:33 PM, Mike Cunningham wrote:
We run an IIS web server for public access and an iSeries web server for secure things. We have an IIS based application that needs to get credit card information but want that to be collected by an iSeries application (we have existing iSeries based credit card processes using Curbstone). Very much like a paypal process. The IIS form collects all the necessary information except the credit card info, redirects the user to the iSeries app and passes amount and name and a few other things. iSeries app asks for credit card info, validates it, encrypts it, etc, etc and then needs to return to the "calling" application and pass back if the credit card part was valid or not. (Doesn't really have to do this but the group that controls the IIS side of our organization wants to know and show the user a second confirmation (or rejection) page.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.