uShop Java Shopping Cart Software

USHOP 2.0

We at Microburst Technologies, Inc. take security very seriously, but in order to ensure that transactions are indeed secure, it is up to you to setup uShop correctly. This reference page describes how uShop Security works and how to configure uShop correctly in order to ensure secure transactions.

How uShop Security Works

uShop Security Requirements

Configuring uShop For Secure Transactions

About The "orders" Directory On Your Secure Server

About The uShopOrderButtonCGI Applet

Configuring The uShopOrderButtonCGI Applet

Example

1. How uShop Security Works

In order to ensure that sensitive payment information gets securely from the customer to the store owner, uShop implements a two step process (as illustrated in the diagrams below). Step 1 is securely getting the order information from the customer to a file on the secure server. Step 2 is securely getting the order file from the secure server to the store owner. The diagram below illustrates how uShop handles this with the ushop_cgiscript.pl script and the uShopOrderCGI and uShopOrderReaderCGI applets.

2. uShop Security Requirements

uShop itself, does not implement any encryption mechanism, but rather relies on the standard SSL protocol that is used when communicating with a secure server. That is, the encryption is handled external to uShop - by your browser and your secure server. Thus, in order to make transactions secure, you must have a secure server upon which you can install uShop's CGI script.

3. Configuring uShop For Secure Transactions

First of all, you must install the uShop CGI script on your secure server. To do this follow the CGI script installation instructions in the uShop User's Manual and/or RECOMMENDED use our uShop CGI Setup Wizard uShop 2.0 Reference Site. (The uShop CGI Setup Wizard will actually generate a CGI script configured for your server along with customized instructions on how to download and install it on your server).

Upon finishing the installation of the CGI script on your secure server, you should be able to type in the URL of the script on the your secure server and see a "uShop Copyright" page generated....just as you see when you go to the URL of the script on our secure server:

https://www.uburst.com/cgi-bin/ushop_cgiscript.pl

This URL of the script on your secure server is what you will need to use as the scriptpath parameter of uShop Order and Order Reader applets that you use in your on-line store.

That is, in order to make transactions secure, all you need to do after installing the uShop CGI script on your server, is to be sure to use the full URL of the CGI script on your secure server (beginning with https://.....) as the scriptpath parameter of all of uShop's applets that deal with any sensitive information. That is, be sure to use this secure URL (beginning with https://....) as the scriptpath parameter in whichever uShop Order applet that you are using AND as the scriptpath parameter in the uShopOrderReaderCGI applet too!

This is illustrated in the diagrams below.

4. About The "orders" Directory On Your Secure Server

Whenever an order is placed, an order file will be created in the "orders" directory on your secure server. Each order file will be named after the order number and will contain all of the order information - including the sensative payment information. And for this reason, it is very important that the contents of your "orders" directory is not viewable to visitors to your web site. That is, be sure that if visitors go to the URL of your "orders" directory, they cannot see the contents of the order files in this directory. Here are some suggestions on how to prevent this:

Change the permissions on the directory so that it is not viewable by web users - but be aware that the ushop_cgiscript will still need to have permission to write to that directory. So try setting the permission on that directory to 733 (Unix servers only).
Also, most servers are setup to prevent web visitors from listing the contents of your CGI directory and any subdirectories of your CGI directory - This is ideal! This will cause people trying to access your orders directory to get some sort of error message such as "Listing of CGI directories is disabled." If your CGI directory is not configured like this, check with your web hosting provider to see how CGI directory listings can be disabled.
And finally, at the very least, try putting an "index.html" page in the orders directory - perhaps just a simple page with a link saying "Click HERE To Enter The Store". This way, visitors accessing the orders will only get an index page....and not a listing of all the order files.

On a side note, you should clean out the "orders" directory from time to time....After processing an order with the uShopOrderReaderCGI applet, there is no need to let the order files (and the sensative payment information) sit around in the "orders" directory. So use the uShopOrderReaderCGI's "delete" option or just FTP to the orders directory from time to time and delete the order files. This will save on disk space too!

5. About The uShopOrderButtonCGI Applet

As described above, in order to make transactions secure, all you really have to do is use the secure (https) URL of the CGI script on your secure server as the setting for the scriptpath parameter of your store's order and order reader applets. This works fine as long as all of your store pages are on your public server or all of your store pages are on your secure server. Either way will work. However, it may be desirable to put all of your store's product pages on your faster public server and just put the order form on the encrypted secure server. Two major benefits of this are:

Your store pages will load faster if you keep them on your faster public server and only transfer to the slower encrypted secure server when the customer is ready to checkout.

By transferring to the secure server before displaying the order form, customers will be able to see that you are indeed using a secure server before actually entering any sensitive payment information.
For uShop to work properly, however, it is important that the visitor's browser think that all of the .class files were loaded from the same URL (see CODEBASE for more information on this) - but this is not the case if you switch from your public to your secure server. Thus, in order to be able to keep your store pages on your faster public server and then transfer to the encrypted secure server when the customer is ready to checkout, we have provided the uShopOrderButtonCGI applet.

6. Configuring The uShopOrderButtonCGI Applet

The following steps describe the easiest way to configure the uShopOrderButtonCGI applet.

Begin by installing a copy of the uShop CGI script (ushop_cgiscript.pl) on your secure server. See the uShop User's Manual and/or uShop CGI Setup Wizard for assistance setting up the CGI script.

If you haven't already, create the "orders" directory on your secure server. Create this "orders" directory as a subdirectory in your "cgi-bin" directory and be sure to give the "orders" directory the appropriate permissions (chmod 733). See "orders" directory for more information about this directory.

Create your order.template file. This file is basically just a standard .html file that will be automatically displayed by uShop's CGI script when the customer presses the Secure Order button. The order.template file should contain the uShop order applet that your store will use (such as uShopOrderCGI.class) along with any other applets, graphics, and text that you want to be displayed on the order page.

Click here to see an example order.template page.

Important Note: When adding applets to this order.template page, you must specify a CODEBASE parameter as illustrated below. This CODEBASE parameter is required to specify where your .class files are located. It should be specified as the full URL of your classes directory on your *public server...as illustrated below.

Update January 19, 2000 regarding Internet Explorer: It appears that due to the way the IE 5.0 is handling the caching of applets, it is not recommended to switch the codebase between your public and secure server pages. That is, apparently IE 5.0 sometimes has trouble reloading the applets on the secure order page if a customer goes back and forth between the regular store pages and the secure order page. The best solution to this problem is that you be sure to use the full URL of the .class files on your PUBLIC server when specifying the codebase of the applets on your secure order page. Note that transactions will still be secure providing you use the secure URL for the "scriptpath" parameter. The diagrams/instructions on this reference page have been updated to reflect this.

Another Important Note: The uShop CGI script will automatically insert a hidden data parameter immediately after the first .html line of the order applet, so it is important to keep the first .html line of the order applet on a single line. As illustrated below.

Example - Wrong (Letting the first line wrap to the next line)

Wrong!

Example - Right (The first line does NOT wrap to the next line)

Right :^)

After creating the order.template file, transfer it into the same directory as the uShop CGI script on your secure server. Note: When transferring this file to your server, be sure to transfer it in ASCII or TEXT mode (as opposed to BINARY mode).

And finally, add the uShopOrderButtonCGI applet to your store's pages. The uShopOrderButtonCGI applet will appear as a "Secure Order" button on your store's pages. It can be inserted into any of your store's pages (on your public server - not your secure server) and should be described on your store's pages so that it is clear to the customer that when they are ready to check out, they should press this button.

Note as shown below, remember to use the URL of your script on your secure server as the scriptpath parameter. And also remember to set the order_page parameter to match the name/location of your order template file on your secure server. If you followed the above steps and put the order.template file in your cgi-bin directory on your secure server, then the settings will be as shown below.

And that should do it. Try it out!

If you run into any problems, be sure to check out the "Troubleshooting" section at our uShop 2.0 Reference Site

7. Example

Click HERE to see an example of the uShopOrderButtonCGI applet in use.