The Foxy forums are on the move!

We're in the process of moving our forums over to a new system, and so these forums are now read-only.
If you have a question about your store in the meantime, please don't hesitate to reach out to us via email.

One-click purchase?

blockablocka Member
in Help edited June 2009
Is it possible to do a "one-click type of purchase" where if we have somebodies information on file, they can bypass the whole cart and just click a button that says purchase?

I know I can hack this by posting the checkout form myself (it doesn't look like there's any CRSF protection on the form...I even removed the hidden input field fcsid and it still submitted).
  • brettbrett FoxyCart Team
    edited June 2009
    Hi blocka.
    Do you mean "one click", as in, "charge the card right now, don't ask for shipping or confirmation or anything"? Or just "one click to checkout"? I'm assuming the former.

    If that's the case, you could certainly play around with things. With the user API and SSO you might be able to have some fun.

    As far as CSRF protection, since there's no authentication aside from what's done already, a CSRF attack (or prevention) would kind of be useless. Not to say there aren't a lot of fun things you could try if you were malicious, but there'd be no way to really do a "one click" CSRF attack (unless you were the store owner/admin, in which case all bets are off, as you could do whatever you wanted, with or without FoxyCart powering the checkout).

    One thing worth noting though is that if you use SSO, the CSC is required, and per PCI DSS the CSC is never stored. So you actually couldn't do a true one-click checkout if you were using SSO. You could play with the checkout until the only field showing was the CSC, which might be interesting (and depending on your gateway/merchant account might save you money on processing).

    As far as having some way more advanced fun with FoxyCart, please give this a vote:

    Does that help?
  • blockablocka Member
    Before the SSO I had hacked together a solution with curl and cookie jars the user API and the unified order entry password and I was able to make a purchase without going to the checkout or confirmation page, and without requiring a CSC.

    I did something like this:
    $cart_url = "";
    $uoe_password = "unified order entry password";
    //Add something to the cart and grab the cookies
    $ch = curl_init("$cart_url/cart?name=A%20great%20product&price=60");
    curl_setopt($ch, CURLOPT_HEADERS, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt");
    // POST to the checkout form using the previously stored cookies
    $ch = curl_init("$cart_url/checkout.php?ThisAction=checkout&c_card=saved&customer_password=$uoe_password&customer_address1=c&customer_city=c&customer_country=US&customer_country_name=United%20States&'");
    curl_setopt($ch, CURLOPT_HEADERS, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");

    This worked without the CSC...I can't image that the SSO would change anything...might this have worked because it was only in testing mode?

    Other than that, I think a standalone checkout api is totally in the ballpark of what I'm looking for...especially since I would also like to host my own checkout forms on my own server (with SSL of course).
  • brettbrett FoxyCart Team
    Hi blocka.
    We've had some behind-the-scenes discussion and the only response we feel comfortable to give is:
    We don't recommending using FoxyCart as you're describing. Please make sure you are not violating any of our TOS, and that you fully understand the security implications of what you're attempting for both you and your client (if applicable).

    We're always excited to see FoxyCart used in ways we hadn't anticipated, but in this case we can't really offer much support for what you're attempting.
Sign In or Register to comment.