Answer the question
In order to leave comments, you need to log in
V
V
Vitaly2020-06-05 01:21:52
Vitaly, 2020-06-05 01:21:52
How to hide msorder on msGetOrder page?
Hello!
Here's the situation: I'm developing an online store, with modx and minishop on "you". Faced with the fact that after the user clicks on the checkout button, he is redirected to the msGetOrder page (logically), the get parameter "msorder" is passed in the address bar. Because of this, a small vulnerability appears :D maybe. someone can change the id and see what others ordered, and this, something tells me, is wrong)
How can I solve this? Perhaps somehow hide or encode the id? I rummaged through the minishop settings, but found nothing, missed something?
In general, perhaps there are other ways to solve this?
Thank you in advance to everyone, at least for reading my scribble to the end :D
2 answer(s)
@vnem
Pasted in tpl msOrder (with "clear" mode) and in tpl msGetOrder (with "check" mode).
&step - mode of operation
&value - what to write in the cookie / what to compare with (we generate a mask using the order data, for example, {$order.id}{$order.num}%{$order.cost})
&get - GET order parameter ( ?msorder={$order.id})
Operation logic:
1. On the checkout page, clear myOrder cookies.
2. On the thank you page, check if there is anything in the cookies. If myOrder cookies are empty, then we write our secret value into them. If not empty, we compare and either leave the user on the page or redirect to the main page.
The solution may be a crutch, but the most important thing is that it works. The other hasn't come to mind yet.
S
Shwaber, 2020-07-25 @vnem
I also faced this problem and did not find a solution on the Internet.
I managed to solve the problem with the help of the snippet.
$mainPage = $modx->makeUrl(1);
$resource = $modx->resource;
$orderPage = $modx->makeUrl($resource->get('id')) . $get;
switch ($step) {
case "clear":
setcookie ("myOrder", "");
break;
case "check":
if(!isset($_COOKIE["myOrder"])){
setcookie ("myOrder", $value);
$modx->sendRedirect($orderPage,array('responseCode' => 'HTTP/1.1 301 Moved Permanently'));
}
if($_COOKIE["myOrder"] != $value){
$modx->sendRedirect($mainPage,array('responseCode' => 'HTTP/1.1 301 Moved Permanently'));
}
break;
}Pasted in tpl msOrder (with "clear" mode) and in tpl msGetOrder (with "check" mode).
&step - mode of operation
&value - what to write in the cookie / what to compare with (we generate a mask using the order data, for example, {$order.id}{$order.num}%{$order.cost})
&get - GET order parameter ( ?msorder={$order.id})
Operation logic:
1. On the checkout page, clear myOrder cookies.
2. On the thank you page, check if there is anything in the cookies. If myOrder cookies are empty, then we write our secret value into them. If not empty, we compare and either leave the user on the page or redirect to the main page.
The solution may be a crutch, but the most important thing is that it works. The other hasn't come to mind yet.
Similar questions
N
X
N
I
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question