2

I am working with the Braintree Java API. After reviewing the docs I have several questions that I hope are not altogether obvious.

Information that might help you: Working with Struts. Using .jsp

Question 1 When my customer logs in, I will pass their customerId to Braintree and fetch the Collection of credit cards. The credit card list contains information such as the last 4 of the card number, card type etc. Am I safe to put the returned credit card list to the session so I can output the information in my .jsp page? It is important that my customers can view the payment information as they can save multiple credit cards. Ideally, I will display the last four numbers with asterisks. Is there a security risk since the token exists in the CreditCard class? By setting the credit card list to the session, there is the possibility that the token could be sought out.

Question 2 What is the best way to associate the token with the correct credit card. For example, lets say my customer has 3 credit cards to choose from when purchasing an item. They select the second credit card. How do I associate the correct token with the second card so that when I send the token to Braintree the correct card is charged? The solution I have come up with is to have radio buttons for selection. When the card is selected and the submit button pressed, I will fetch the index of the selected radio button. I will then fetch the card from the array of credit cards. Using that returned CreditCard class, I can get the token and pass it on to Braintree. Does this sound like a good solution to you all?

hairboat
  • 650
  • 19
  • 29
clayton rogers
  • 63
  • 2
  • 11

1 Answers1

1

I work at Braintree. If you have more questions, your best bet is to email our support team.

  1. You should only make data available to the user that you intend to share with them; however depending on what you mean by the "session" the data shouldn't be leaked to the user.
  2. With the solution you describe, what if the user adds or deletes a credit card in another browser window, then hits submit on the form? The user could potentially get the wrong card. So instead, you should use some sort of identifier that doesn't change, rather than index into an array.
agf
  • 171,228
  • 44
  • 289
  • 238
  • Thank you for the reply agf. You make a very good point. After reviewing more examples and the Braintree documentation I now have a better handle on how I should manage the data. – clayton rogers Feb 23 '15 at 18:31
  • @claytonrogers if the answer helps, consider accepting and/or upvoting it. Reputation is the currency and appraisal that makes this site work. – Olaf Kock Jan 06 '16 at 22:28