Well, I'm at a loss. I just cannot find specs on the https header anywhere. Could anyone please provide a link for me so that I can look at the specs for http/s headers?
Also, I have run into a bit of a snag. Perhaps someone can look at my problem from a different light: I currently have many departments that all send me the same fields (though w/diff data, of course) and I'm running into a problem with validating who they really are.
Here's the real crux of the problem though: Someone can just 'view source' right now on a department screen and as long as they pass in the correct client ID, an outside person could easily run charges up. The problem is that the "higher ups" are positive they want it to work just the way it is (because obviously, if I could have them enter the data in on MY site, I could hide this within sessions and all would be well).
I have tried checking the IP address they are coming from, but it seems as though this is not a failsafe way to do things. There MUST be some way to be able to verify where they are coming from, 100% of the time, in a secure mannor...
Any ideas?
thanks,
k.
