I have this small PHP/MySQL cart system that users add products to, checkout, and pay.
These products all have IDs on them so that when the user checks out,
I can get that product’s attributes (price, weight, the vendor’s account id, etc).
Right now it would be really easy for someone to open up Firebug,
guess another product ID, change it, and checkout.
What would be the best way to prevent this?
The store and the checkout system are on two different domains if that matters.
I could use something like a unique token
but how would that work if multiple customers could be using the cart at the same time?
EDIT: Wow, typed this too fast, left out some important details. The cart is currently represented as JSON that is being stored in a PHP session. All products have an account_id that associates them with a vendor’s account.
The problem would occur if a user changed the product id and happened to get a product under another vendor’s account (essentially purchasing another company’s product from a different company’s store) which would be undesirable. Thank you for the answers so far.
Use a server side session to store the cart details.
Every session gets a unique ID, stored in a cookie. All details (selected items, amount, etc) are tied to this sessionId.
By definition, you do not want different customers to use the same cart. Instead, every custommer uses their own separate copy of the cart.
If you need to ‘share’ the sessionId with some external service, instead calculate a separate unique key and share this key with the third party service (=checkout service in your case).
This ensures that you can uniquely identify your customer in communications with the thirds party, without the third party knowing anything about how you identify or communicate with your customer on your side of the fence. (the important thing to remember is, a sessionId is a shared secret, nobody else should ever know about it).