I have two ASP pages
payment.asp:
For customers to fill in payment/card details (pre-populating details if
details submitted were invalid and user had to re-fill in details)
confirmorder.asp:
Display the credit card details in hidden fields and also the order details
from Database
My question is
1) If payment.asp submit to confirmorder.asp, then
1.1) I could get confirmorder.asp to display card details in hidden fields
BUT
1.2) But if card details are invalid how could I return user to payment.asp
with card details prepopulated??
1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I put
in details in Query string, which is not what I wanted for security reasons)
2) If payment.asp submit to payment.asp then
2.1) I could get page to pre-populate details on payment.asp if card details
are invalid BUT
2.2) How could I direct user to confirmorder.asp back to payment.asp with
details pre-populated
1.2.2) If I Response.Redirect, hidden fields cannot be populated by reading
in Request.form! 12 1909
I would try to avoid using Session, but if I were to use Session, would
Session data be held in the server's memory/RAM?
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:eL**************@tk2msftngp13.phx.gbl... I have two ASP pages payment.asp: For customers to fill in payment/card details (pre-populating details if details submitted were invalid and user had to re-fill in details)
confirmorder.asp: Display the credit card details in hidden fields and also the order
details from Database
My question is 1) If payment.asp submit to confirmorder.asp, then 1.1) I could get confirmorder.asp to display card details in hidden fields BUT 1.2) But if card details are invalid how could I return user to
payment.asp with card details prepopulated?? 1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I
put in details in Query string, which is not what I wanted for security
reasons) 2) If payment.asp submit to payment.asp then 2.1) I could get page to pre-populate details on payment.asp if card
details are invalid BUT 2.2) How could I direct user to confirmorder.asp back to payment.asp with details pre-populated 1.2.2) If I Response.Redirect, hidden fields cannot be populated by
reading in Request.form!
for confidential information (credit cards)...
don't use hidden fields.
dont' use querystring.
use session or a db, it stays on the server, does not get passed to the
client.
also when you redirect back to the first page, you can simply repopulate all
the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl... I would try to avoid using Session, but if I were to use Session, would Session data be held in the server's memory/RAM?
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:eL**************@tk2msftngp13.phx.gbl... I have two ASP pages payment.asp: For customers to fill in payment/card details (pre-populating details if details submitted were invalid and user had to re-fill in details)
confirmorder.asp: Display the credit card details in hidden fields and also the order details from Database
My question is 1) If payment.asp submit to confirmorder.asp, then 1.1) I could get confirmorder.asp to display card details in hidden fields BUT 1.2) But if card details are invalid how could I return user to payment.asp with card details prepopulated?? 1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I put in details in Query string, which is not what I wanted for security reasons) 2) If payment.asp submit to payment.asp then 2.1) I could get page to pre-populate details on payment.asp if card
details are invalid BUT 2.2) How could I direct user to confirmorder.asp back to payment.asp with details pre-populated 1.2.2) If I Response.Redirect, hidden fields cannot be populated by reading in Request.form!
Is stuffed stored in a Session *completely* uncompromisable/unhackable (even
for someone with [admin] access to the server)? (A IIS5.0 Server on Win2K
Pro SP4)?
"caulker" <ws*******@ucsd.edu> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... for confidential information (credit cards)... don't use hidden fields. dont' use querystring. use session or a db, it stays on the server, does not get passed to the client.
also when you redirect back to the first page, you can simply repopulate
all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:%2****************@TK2MSFTNGP15.phx.gbl...I would try to avoid using Session, but if I were to use Session, would Session data be held in the server's memory/RAM?
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:eL**************@tk2msftngp13.phx.gbl... I have two ASP pages payment.asp: For customers to fill in payment/card details (pre-populating details
if details submitted were invalid and user had to re-fill in details)
confirmorder.asp: Display the credit card details in hidden fields and also the order details from Database
My question is 1) If payment.asp submit to confirmorder.asp, then 1.1) I could get confirmorder.asp to display card details in hidden fields BUT 1.2) But if card details are invalid how could I return user to payment.asp with card details prepopulated?? 1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless
I put in details in Query string, which is not what I wanted for security reasons) 2) If payment.asp submit to payment.asp then 2.1) I could get page to pre-populate details on payment.asp if card
details are invalid BUT 2.2) How could I direct user to confirmorder.asp back to payment.asp
with details pre-populated 1.2.2) If I Response.Redirect, hidden fields cannot be populated by reading in Request.form!
In that scenario, nothing is completely secure.
Patrick wrote: Is stuffed stored in a Session *completely* uncompromisable/unhackable (even for someone with [admin] access to the server)? (A IIS5.0 Server on Win2K Pro SP4)?
"caulker" <ws*******@ucsd.edu> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... for confidential information (credit cards)... don't use hidden fields. dont' use querystring. use session or a db, it stays on the server, does not get passed to the client.
also when you redirect back to the first page, you can simply repopulate all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:%2****************@TK2MSFTNGP15.phx.gbl... I would try to avoid using Session, but if I were to use Session, would Session data be held in the server's memory/RAM?
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:eL**************@tk2msftngp13.phx.gbl... I have two ASP pages payment.asp: For customers to fill in payment/card details (pre-populating details if details submitted were invalid and user had to re-fill in details)
confirmorder.asp: Display the credit card details in hidden fields and also the order details from Database
My question is 1) If payment.asp submit to confirmorder.asp, then 1.1) I could get confirmorder.asp to display card details in hidden fields BUT 1.2) But if card details are invalid how could I return user to payment.asp with card details prepopulated?? 1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I put in details in Query string, which is not what I wanted for security reasons)
2) If payment.asp submit to payment.asp then 2.1) I could get page to pre-populate details on payment.asp if card details are invalid BUT 2.2) How could I direct user to confirmorder.asp back to payment.asp with details pre-populated 1.2.2) If I Response.Redirect, hidden fields cannot be populated by reading in Request.form!
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
But is it true that
1) Session data is held in the Server's Memory/RAM (as opposed to
hard-disk)?
2) Each HTTP client would has its own session data (so a client cannot
access session data of another HTTP client)
3) Each Internet Explorer Window would share the same session (unless the
client start a new instance of IE for each window), so session data would
get corrupted
4) If I do a Session.Contents.RemoveAll(), I am only removing session data
for that particular HTTP client (and not all clients).
(Short of using some low-level tools to access the server's memory, can data
held in the Session be easily hackable, or at least as easily as selecting
records from a SQL Server database?)
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:O0**************@TK2MSFTNGP09.phx.gbl... In that scenario, nothing is completely secure.
Patrick wrote: Is stuffed stored in a Session *completely* uncompromisable/unhackable (even for someone with [admin] access to the server)? (A IIS5.0 Server on Win2K Pro SP4)?
"caulker" <ws*******@ucsd.edu> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... for confidential information (credit cards)... don't use hidden fields. dont' use querystring. use session or a db, it stays on the server, does not get passed to the client.
also when you redirect back to the first page, you can simply repopulate all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:%2****************@TK2MSFTNGP15.phx.gbl... I would try to avoid using Session, but if I were to use Session, would Session data be held in the server's memory/RAM?
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:eL**************@tk2msftngp13.phx.gbl... > I have two ASP pages > payment.asp: > For customers to fill in payment/card details (pre-populating > details if details submitted were invalid and user had to re-fill > in details) > > confirmorder.asp: > Display the credit card details in hidden fields and also the > order details from Database > > My question is > 1) If payment.asp submit to confirmorder.asp, then > 1.1) I could get confirmorder.asp to display card details in hidden > fields > BUT > 1.2) But if card details are invalid how could I return user to > payment.asp with card details prepopulated?? > 1.2.1) If I Response.Redirect, nothing would be pre-popualting > (unless I put in details in Query string, which is not what I > wanted for security reasons) > > 2) If payment.asp submit to payment.asp then > 2.1) I could get page to pre-populate details on payment.asp if > card details are invalid BUT > 2.2) How could I direct user to confirmorder.asp back to > payment.asp with details pre-populated > 1.2.2) If I Response.Redirect, hidden fields cannot be populated > by reading in Request.form!
-- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
Patrick wrote: But is it true that 1) Session data is held in the Server's Memory/RAM (as opposed to hard-disk)?
Yes, unless RAM runs out and the system has to start paging to disk.
2) Each HTTP client would has its own session data (so a client cannot access session data of another HTTP client)
Yes. But there are spoofing exploits that you should research and be
prepared for.
3) Each Internet Explorer Window would share the same session (unless the client start a new instance of IE for each window), so session data would get corrupted
Unless the window is opened by code in the page, each window opened by a
user will have its own session.
4) If I do a Session.Contents.RemoveAll(), I am only removing session data for that particular HTTP client (and not all clients).
Yes.. (Short of using some low-level tools to access the server's memory, can data held in the Session be easily hackable, or at least as easily as selecting records from a SQL Server database?)
No. Low-level tools are required. Transmission of confidential data should
of course be done via SSL. http://msdn.microsoft.com/library/en...ychecklist.asp http://msdn.microsoft.com/library/en...ngsessions.asp http://www.aspfaq.com/show.asp?id=2053
Bob Barrows "Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message news:O0**************@TK2MSFTNGP09.phx.gbl... In that scenario, nothing is completely secure.
Patrick wrote: Is stuffed stored in a Session *completely* uncompromisable/unhackable (even for someone with [admin] access to the server)? (A IIS5.0 Server on Win2K Pro SP4)?
"caulker" <ws*******@ucsd.edu> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... for confidential information (credit cards)... don't use hidden fields. dont' use querystring. use session or a db, it stays on the server, does not get passed to the client.
also when you redirect back to the first page, you can simply repopulate all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:%2****************@TK2MSFTNGP15.phx.gbl... > I would try to avoid using Session, but if I were to use Session, > would Session data be held in the server's memory/RAM? > > "Patrick" <pa**@reply.newsgroup.msn.com> wrote in message > news:eL**************@tk2msftngp13.phx.gbl... >> I have two ASP pages >> payment.asp: >> For customers to fill in payment/card details (pre-populating >> details if details submitted were invalid and user had to re-fill >> in details) >> >> confirmorder.asp: >> Display the credit card details in hidden fields and also the >> order details from Database >> >> My question is >> 1) If payment.asp submit to confirmorder.asp, then >> 1.1) I could get confirmorder.asp to display card details in >> hidden fields >> BUT >> 1.2) But if card details are invalid how could I return user to >> payment.asp with card details prepopulated?? >> 1.2.1) If I Response.Redirect, nothing would be pre-popualting >> (unless I put in details in Query string, which is not what I >> wanted for security reasons) >> >> 2) If payment.asp submit to payment.asp then >> 2.1) I could get page to pre-populate details on payment.asp if >> card details are invalid BUT >> 2.2) How could I direct user to confirmorder.asp back to >> payment.asp with details pre-populated >> 1.2.2) If I Response.Redirect, hidden fields cannot be populated >> by reading in Request.form!
-- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Why shouldn't secure data be stored in hidden fields on webpages when user
move from one page to another?
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl... Patrick wrote: But is it true that 1) Session data is held in the Server's Memory/RAM (as opposed to hard-disk)? Yes, unless RAM runs out and the system has to start paging to disk.
2) Each HTTP client would has its own session data (so a client cannot access session data of another HTTP client)
Yes. But there are spoofing exploits that you should research and be prepared for.
3) Each Internet Explorer Window would share the same session (unless the client start a new instance of IE for each window), so session data would get corrupted
Unless the window is opened by code in the page, each window opened by a user will have its own session.
4) If I do a Session.Contents.RemoveAll(), I am only removing session data for that particular HTTP client (and not all clients).
Yes..
(Short of using some low-level tools to access the server's memory, can data held in the Session be easily hackable, or at least as easily as selecting records from a SQL Server database?)
No. Low-level tools are required. Transmission of confidential data should of course be done via SSL.
http://msdn.microsoft.com/library/en...ychecklist.asp http://msdn.microsoft.com/library/en...ngsessions.asp
http://www.aspfaq.com/show.asp?id=2053
Bob Barrows
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message news:O0**************@TK2MSFTNGP09.phx.gbl... In that scenario, nothing is completely secure.
Patrick wrote: Is stuffed stored in a Session *completely* uncompromisable/unhackable (even for someone with [admin] access to the server)? (A IIS5.0 Server on Win2K Pro SP4)?
"caulker" <ws*******@ucsd.edu> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... > for confidential information (credit cards)... > don't use hidden fields. > dont' use querystring. > use session or a db, it stays on the server, does not get passed to > the client. > > also when you redirect back to the first page, you can simply > repopulate all the necessary data fields. > > > "Patrick" <pa**@reply.newsgroup.msn.com> wrote in message > news:%2****************@TK2MSFTNGP15.phx.gbl... >> I would try to avoid using Session, but if I were to use Session, >> would Session data be held in the server's memory/RAM? >> >> "Patrick" <pa**@reply.newsgroup.msn.com> wrote in message >> news:eL**************@tk2msftngp13.phx.gbl... >>> I have two ASP pages >>> payment.asp: >>> For customers to fill in payment/card details (pre-populating >>> details if details submitted were invalid and user had to re-fill >>> in details) >>> >>> confirmorder.asp: >>> Display the credit card details in hidden fields and also the >>> order details from Database >>> >>> My question is >>> 1) If payment.asp submit to confirmorder.asp, then >>> 1.1) I could get confirmorder.asp to display card details in >>> hidden fields >>> BUT >>> 1.2) But if card details are invalid how could I return user to >>> payment.asp with card details prepopulated?? >>> 1.2.1) If I Response.Redirect, nothing would be pre-popualting >>> (unless I put in details in Query string, which is not what I >>> wanted for security reasons) >>> >>> 2) If payment.asp submit to payment.asp then >>> 2.1) I could get page to pre-populate details on payment.asp if >>> card details are invalid BUT >>> 2.2) How could I direct user to confirmorder.asp back to >>> payment.asp with details pre-populated >>> 1.2.2) If I Response.Redirect, hidden fields cannot be populated >>> by reading in Request.form!
-- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
-- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
Silly. Create a page with a hidden field. Set the field's value to some text
and load the page in your browser. Click View|Source
Bob Barrows
Patrick wrote: Why shouldn't secure data be stored in hidden fields on webpages when user move from one page to another?
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
So, a customer could "hack" their own credit card number, is that an issue?
Also in payment.asp, if invalid card details are entered, the user would be
taken back to the same page with card details pre-populated (for
corrections) anyway.
Also, the card number, Security number could be RC4 encrypted in the hidden
fields
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:uX**************@TK2MSFTNGP10.phx.gbl... Silly. Create a page with a hidden field. Set the field's value to some
text and load the page in your browser. Click View|Source
Bob Barrows
Patrick wrote: Why shouldn't secure data be stored in hidden fields on webpages when user move from one page to another? -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
No, a customer hacking his own number is not an issue. However, unless ssl
is used, this data is sent to the browser in clear text, making it
vulnerable to network sniffers. Also, pages are cached in the client,
allowing somebody with physical access to the machine to read the source
from the cache.
As for encryption, this could be an option, at the cost of adding extra
complexity.
You've reached the limit of my experience with security issues. Unless
someone else jumps in here, You may want to direct further questions to one
of the security newsgroups.
Bob Barrows
Patrick wrote: So, a customer could "hack" their own credit card number, is that an issue?
Also in payment.asp, if invalid card details are entered, the user would be taken back to the same page with card details pre-populated (for corrections) anyway.
Also, the card number, Security number could be RC4 encrypted in the hidden fields
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message news:uX**************@TK2MSFTNGP10.phx.gbl... Silly. Create a page with a hidden field. Set the field's value to some text and load the page in your browser. Click View|Source
Bob Barrows
Patrick wrote: Why shouldn't secure data be stored in hidden fields on webpages when user move from one page to another?
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Pages are sometimes cached locally. People sometimes walk away from public
computers without logging off the site (doh).
Help protect your customers and they will love (or at least not hate) you
for it.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:ek**************@TK2MSFTNGP11.phx.gbl... So, a customer could "hack" their own credit card number, is that an
issue? Also in payment.asp, if invalid card details are entered, the user would
be taken back to the same page with card details pre-populated (for corrections) anyway.
Also, the card number, Security number could be RC4 encrypted in the
hidden fields
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message news:uX**************@TK2MSFTNGP10.phx.gbl... Silly. Create a page with a hidden field. Set the field's value to some text and load the page in your browser. Click View|Source
Bob Barrows
Patrick wrote: Why shouldn't secure data be stored in hidden fields on webpages when user move from one page to another? -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:#d**************@TK2MSFTNGP09.phx.gbl... Why shouldn't secure data be stored in hidden fields on webpages when user move from one page to another?
Because hidden fields are revealed by a simple View Source in the browser. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Newbie |
last post by:
OK, this may be impossible since I'm using 3rd party shopping cart ASP
software, but I've been able to finagle a lot of other stuff I thought
wouldn't work, so here we go:
I'm using a form in...
|
by: Miguel Orrego |
last post by:
Hi,
I have a page that pulls data from a database, one of the fields is Notetext
which frequently contains an email. I then want to pass this onto another
page, that updates the email field in...
|
by: Ryann |
last post by:
Hello.
I am creating a form that has 5 steps/pages. Each page contains about
20 fields. But I don't want to write them until they submit on the
last page. I figured out that I can use hidden...
|
by: Richard |
last post by:
**** Post for FREE via your newsreader at post.usenet.com ****
HI,
I am working on a project where I need to input data to a (local) HTML page
using multiple form elements, such as text,...
|
by: Oscar |
last post by:
I am looking for a way to pass an ADO recordset that has been retrieved in
an ASP page to another HTML-page. Is there someone who can provide me with a
small sample or a link to see how this is...
|
by: Rico Singleton |
last post by:
I currently have an asp page that contains a simple form and a few
hidden fields. One of those hidden fields retrieves a value passed in
when a link is clicked that passes a value (i.e...
|
by: David Freeman |
last post by:
Hi There!
I'm just wondering if there's a way to pass parameters (as if you were
passing parameters to a ASCX web control) when calling an ASPX page?
e.g.
MyDetailsPage.UserName = "david"
...
|
by: williamroy |
last post by:
Hello,
I've got a form that runs over 5 pages. I need the last page submit
button to post all of the answers at one time from the previous 5 pages
(to another server). I'd like to see the last...
|
by: Skeets |
last post by:
i'm passing session and hidden variables between pages. not to mention
post values.
i'm a little concerned that someone with sufficient knowledge could
spoof these vlaues and manipulate the...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 2 August 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM)
The start time is equivalent to 19:00 (7PM) in Central...
|
by: linyimin |
last post by:
Spring Startup Analyzer generates an interactive Spring application startup report that lets you understand what contributes to the application startup time and helps to optimize it. Support for...
|
by: erikbower65 |
last post by:
Here's a concise step-by-step guide for manually installing IntelliJ IDEA:
1. Download: Visit the official JetBrains website and download the IntelliJ IDEA Community or Ultimate edition based on...
|
by: kcodez |
last post by:
As a H5 game development enthusiast, I recently wrote a very interesting little game - Toy Claw ((http://claw.kjeek.com/))。Here I will summarize and share the development experience here, and hope it...
|
by: Taofi |
last post by:
I try to insert a new record but the error message says the number of query names and destination fields are not the same
This are my field names
ID, Budgeted, Actual, Status and Differences
...
|
by: Rina0 |
last post by:
I am looking for a Python code to find the longest common subsequence of two strings. I found this blog post that describes the length of longest common subsequence problem and provides a solution in...
|
by: DJRhino |
last post by:
Private Sub CboDrawingID_BeforeUpdate(Cancel As Integer)
If = 310029923 Or 310030138 Or 310030152 Or 310030346 Or 310030348 Or _
310030356 Or 310030359 Or 310030362 Or...
|
by: lllomh |
last post by:
Define the method first
this.state = {
buttonBackgroundColor: 'green',
isBlinking: false, // A new status is added to identify whether the button is blinking or not
}
autoStart=()=>{
|
by: Mushico |
last post by:
How to calculate date of retirement from date of birth
| |