Secure Order Validation
RedFox Thank You includes robust security features to ensure only authorized customers can access order information on thank you pages.
How Order Validation Works#
The Validation System#
When a customer completes an order, they’re redirected to the thank you page with special URL parameters:
/thank-you/?order-id=123&key=wc_order_abc123xyzThese parameters are used to:
- Verify the order exists
- Confirm the customer has permission to view it
- Load the correct order data
- Prevent unauthorized access
What Gets Validated#
The plugin checks:
- Order ID – Does the order exist?
- Order Key – Does it match the stored order key?
- User Permission – Can this user view this order?
- Order Status – Is the order in a valid state?
Security Features#
Order ID Validation#
What it does: Verifies the order ID is valid and exists in the database
How it works:
- Checks if order ID is a number
- Queries WooCommerce for the order
- Returns error if order doesn’t exist
Protection against:
- Random URL access attempts
- Invalid order ID injection
- SQL injection attacks
Order Key Verification#
What it does: Confirms the order key matches the stored key
How it works:
- WooCommerce generates a unique key for each order
- Key is stored securely in the database
- Plugin compares URL key with stored key
- Access denied if keys don’t match
Protection against:
- Unauthorized order viewing
- Order ID guessing attacks
- Brute force attempts
User Permission Checks#
What it does: Ensures the customer can view this specific order
How it works:
- For logged-in users: Checks if user owns the order
- For guests: Relies on order key validation
- Verifies email matches for extra security
Protection against:
- Customer A viewing Customer B’s orders
- Unauthorized account access
- Cross-customer information leakage
Guest Checkout Support#
How It Works for Guests#
Guest customers (no account) can access their orders:
During Checkout
- WooCommerce creates an order
- Generates a unique order key
- No user account required
Redirect to Thank You Page
- URL includes order ID and key
- Guest can view their specific order
- Cannot view other orders
Security Maintained
- Order key acts as authentication
- Key is nearly impossible to guess
Guest Limitations#
For security, guests:
- Can only access orders with the correct key
- Cannot view order history (no account)
- Lose access if they lose the URL
Logged-In Customer Support#
Enhanced Security for Registered Users#
For customers with accounts:
Dual Validation
- Order key is checked
- User ownership is verified
Account Association
- Order is linked to user account
- Can access via “My Account” page
- Order history is maintained
Additional Checks
- Email must match
- User ID must match order user ID
- Session validation included
Redirect Protection#
Invalid Access Handling#
If validation fails, customers are:
- Redirected to shop page or cart
- Prevented from seeing order data
What Triggers a Redirect#
- Missing order ID parameter
- Missing order key parameter
- Invalid order ID
- Mismatched order key
- Order belongs to different user
- Deleted or non-existent order
Customizing Redirect Behavior#
In plugin settings, you can configure:
- Where to redirect on validation failure
GDPR Compliance#
For GDPR compliance:
- Order data shown only to authorized viewers
- Customer can request data deletion
- Plugin doesn’t create additional customer data
- Follows WordPress data handling standards