Ok so here's the big picture, I have 2 sites, call them SiteA and SiteB. SiteA sort of serves as a master site when it comes to ecommerce transactions (We only have one account with our Credit card processing company, so successful/declined transactions get redirected to Sit开发者_运维技巧eA)
So a user logs on to SiteB, goes through the buying process and submits the form with the credit card details which gets posted to the credit card verifying company, upon a successful transaction SiteA receives all the necessary info (in a POST method) sent by the Credit card processing company. At this point the code on SiteA, based on a param determines which site the transaction originated and again POSTS the data to that site using this code
Net::HTTP.post_form(URI.parse("http://#{params[:site_name]}/success"), params)
success
is defined in routes.rb as
map.connect 'success', :controller => "some_controller", :action => "success"
The problem however is that although the user is logged in on SiteB, when SiteB receives the data POSTed by SiteA (which obviously doesn't know anything about SiteB's session_id), further processing of the data on SiteB fails due to lack of session information.
Both the sites are running exactly identical code.
My question, is there a way where in session data from SiteB can be requested and appended to the Post data when SiteA sends the data.
Many thanks
If these two sites are running on the same physical machine, you can always use something like Memcache as a simple way to exchange state information between two otherwise unrelated sites. If they are on separate machines, using a POST may be your only reasonable option though it ends up being more of a hassle to implement.
If SiteB must forward to SiteA for some processing, and SiteA needs to return the visitor back to SiteB, you need to create a private API on both applications. You can usually get by with creating a simple REST interface and dumping whatever you need in a simple serialized format such as YAML or JSON depending on your preference.
For instance, the procedure might be roughly as follows:
- Visitor is forwarded from SiteB to SiteA via a HTTP redirect.
- Visitor proceeds with transaction on SiteA and a record with a unique identifier is created in the database that reflects the outcome of this transaction.
- SiteA forwards the visitor back to SiteB with this unique identifier as a parameter.
- SiteB makes a request to SiteA to retrieve the details of this transaction.
- SiteB updates its internal records as required and presents the outcome of the transaction to the visitor.
To be secure you should probably generate random unique identifiers, as something like UUID will prevent people from inspecting arbitrary orders by guessing numbers. You should also ensure that the call to SiteA to retrieve transaction details has some kind of access control even if it is only a secret token or passphrase. A more robust implementation would probably use TLS and SSL certificates to verify the origin of any request.
精彩评论