JSF & Java Blog

Discussion on Java and JSF, including Spring, Maven, Eclipse and Jenkins

3D Secure and the PaReq field in Google Chrome & Safari Browsers


I recently had to implement the 3D Secure payment system.

In order to do this 3 fields must be sent to the 3D Secure ACS (Access Control Server)

  • MD
  • Term Url
  • PaReq (Payer authentication request)

Initally everything went well until we tested our pages in Google Chrome and Safari. Under both browsers the 3D Secure inline frame displayed the following message

“Error decoding PAREQ message”

A support page mentions that a PaReq contains newlines and that if any of these are missing the PaReq decoding will fail. The page also mentions that there are issues with Chrome and Safari but provides no solution.

So what is the problem?

The problem is indeed the newline.

In our markup we use and EL (Expression Language) to output the PaReq e.g.

<input type="hidden" name="PaReq" value="#{paReq}" />

If the PaReq returned a string such as

"I am
The PaReq

Note the quotes above mark the begining and end of the string. The string itself is terminated by a newline, in code it would be:

String paReq = "I am\nThe PaReq\n";

The browser should generate the following markup

<input type="hidden" name="PaReq" value="I am
The PaReq
" />

However Chrome and Safari generate the following markup (as both browsers do this I assume its a Webkit thing)

<input type="hidden" name="PaReq" value="I am
The PaReq" />

Note, the traililng newline has disappeared and herein lies the problem, the server fails to recoginse the PaReq as the trailing newline has gone (currently Chrome 4.0.429.89 contains the above bug).

The fix? Dont use Chrome or Safari, Only kidding

The way we overcame this was to use a “hidden” textarea

<textarea name="PaReq" style="display:none">#{paReq}</textarea>

Which renders

<textarea name="PaReq" style="display:none">I am
The PaReq

In all browsers and preserves the trailing newline. The style=”display:none” hides the textarea. Although this is crude it does provide a fix for Chrome and Safari.


  1. Darrell Martin

    I too have come across this issue. Here is my fix.

    The PaReq returned for the cardsave gateway contains line breaks which when parsed through the ACSFrame form breaks the bank’s acs script.

    Replace the all line break instances within the PaReq from the returned cardsave gateway with a the ‘+’ character. i.e

    // parse the cardsave gateway’s returned PaReq into the session
    $_SESSION[‘PaREQ’] = $return[‘PaREQ’];

    // replace the line break instances with ‘+’ character
    $_SESSION[‘PaREQ’] = str_replace(” “, “+”, $_SESSION[‘PaREQ’]);

    • Dan

      Strictly speaking, this is not a “line break” instance but actually an encode/decode issue with spaces…

      PaReq/PaRes are Base-64 encoded strings. Base-64 strings contain “+” but will never contain spaces. this value is likely transferred to you via the internet as the “value” attribute of a hidden input field (POST) or as part of the query string portion of the URL itself (GET). Most programming languages will automatically URL decode these received values. URL Decoding will replace “+” with ” ” which in turn renders the Base-64 string invalid. Of course, your solution of replacing ” ” with “+” will fix this and make the Base-64 valid again…


So, what do you think ?

  • *