I have two ASP pages
payment.asp:
For customers to fill in payment/card details (pre-populating details if
details submitted were invalid and user had to re-fill in details)
confirmorder.asp:
Display the credit card details in hidden fields and also the order details
from Database
My question is
1) If payment.asp submit to confirmorder.asp, then
1.1) I could get confirmorder.asp to display card details in hidden fields
BUT
1.2) But if card details are invalid how could I return user to payment.asp
with card details prepopulated??
1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I put
in details in Query string, which is not what I wanted for security reasons)
2) If payment.asp submit to payment.asp then
2.1) I could get page to pre-populate details on payment.asp if card details
are invalid BUT
2.2) How could I direct user to confirmorder.asp back to payment.asp with
details pre-populated
1.2.2) If I Response.Redirect, hidden fields cannot be populated by reading
in Request.form! 12 1821
I would try to avoid using Session, but if I were to use Session, would
Session data be held in the server's memory/RAM?
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:eL**************@tk2msftngp13.phx.gbl... I have two ASP pages payment.asp: For customers to fill in payment/card details (pre-populating details if details submitted were invalid and user had to re-fill in details)
confirmorder.asp: Display the credit card details in hidden fields and also the order
details from Database
My question is 1) If payment.asp submit to confirmorder.asp, then 1.1) I could get confirmorder.asp to display card details in hidden fields BUT 1.2) But if card details are invalid how could I return user to
payment.asp with card details prepopulated?? 1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I
put in details in Query string, which is not what I wanted for security
reasons) 2) If payment.asp submit to payment.asp then 2.1) I could get page to pre-populate details on payment.asp if card
details are invalid BUT 2.2) How could I direct user to confirmorder.asp back to payment.asp with details pre-populated 1.2.2) If I Response.Redirect, hidden fields cannot be populated by
reading in Request.form!
for confidential information (credit cards)...
don't use hidden fields.
dont' use querystring.
use session or a db, it stays on the server, does not get passed to the
client.
also when you redirect back to the first page, you can simply repopulate all
the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl... I would try to avoid using Session, but if I were to use Session, would Session data be held in the server's memory/RAM?
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:eL**************@tk2msftngp13.phx.gbl... I have two ASP pages payment.asp: For customers to fill in payment/card details (pre-populating details if details submitted were invalid and user had to re-fill in details)
confirmorder.asp: Display the credit card details in hidden fields and also the order details from Database
My question is 1) If payment.asp submit to confirmorder.asp, then 1.1) I could get confirmorder.asp to display card details in hidden fields BUT 1.2) But if card details are invalid how could I return user to payment.asp with card details prepopulated?? 1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I put in details in Query string, which is not what I wanted for security reasons) 2) If payment.asp submit to payment.asp then 2.1) I could get page to pre-populate details on payment.asp if card
details are invalid BUT 2.2) How could I direct user to confirmorder.asp back to payment.asp with details pre-populated 1.2.2) If I Response.Redirect, hidden fields cannot be populated by reading in Request.form!
Is stuffed stored in a Session *completely* uncompromisable/unhackable (even
for someone with [admin] access to the server)? (A IIS5.0 Server on Win2K
Pro SP4)?
"caulker" <ws*******@ucsd.edu> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... for confidential information (credit cards)... don't use hidden fields. dont' use querystring. use session or a db, it stays on the server, does not get passed to the client.
also when you redirect back to the first page, you can simply repopulate
all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:%2****************@TK2MSFTNGP15.phx.gbl...I would try to avoid using Session, but if I were to use Session, would Session data be held in the server's memory/RAM?
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:eL**************@tk2msftngp13.phx.gbl... I have two ASP pages payment.asp: For customers to fill in payment/card details (pre-populating details
if details submitted were invalid and user had to re-fill in details)
confirmorder.asp: Display the credit card details in hidden fields and also the order details from Database
My question is 1) If payment.asp submit to confirmorder.asp, then 1.1) I could get confirmorder.asp to display card details in hidden fields BUT 1.2) But if card details are invalid how could I return user to payment.asp with card details prepopulated?? 1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless
I put in details in Query string, which is not what I wanted for security reasons) 2) If payment.asp submit to payment.asp then 2.1) I could get page to pre-populate details on payment.asp if card
details are invalid BUT 2.2) How could I direct user to confirmorder.asp back to payment.asp
with details pre-populated 1.2.2) If I Response.Redirect, hidden fields cannot be populated by reading in Request.form!
In that scenario, nothing is completely secure.
Patrick wrote: Is stuffed stored in a Session *completely* uncompromisable/unhackable (even for someone with [admin] access to the server)? (A IIS5.0 Server on Win2K Pro SP4)?
"caulker" <ws*******@ucsd.edu> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... for confidential information (credit cards)... don't use hidden fields. dont' use querystring. use session or a db, it stays on the server, does not get passed to the client.
also when you redirect back to the first page, you can simply repopulate all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:%2****************@TK2MSFTNGP15.phx.gbl... I would try to avoid using Session, but if I were to use Session, would Session data be held in the server's memory/RAM?
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:eL**************@tk2msftngp13.phx.gbl... I have two ASP pages payment.asp: For customers to fill in payment/card details (pre-populating details if details submitted were invalid and user had to re-fill in details)
confirmorder.asp: Display the credit card details in hidden fields and also the order details from Database
My question is 1) If payment.asp submit to confirmorder.asp, then 1.1) I could get confirmorder.asp to display card details in hidden fields BUT 1.2) But if card details are invalid how could I return user to payment.asp with card details prepopulated?? 1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I put in details in Query string, which is not what I wanted for security reasons)
2) If payment.asp submit to payment.asp then 2.1) I could get page to pre-populate details on payment.asp if card details are invalid BUT 2.2) How could I direct user to confirmorder.asp back to payment.asp with details pre-populated 1.2.2) If I Response.Redirect, hidden fields cannot be populated by reading in Request.form!
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
But is it true that
1) Session data is held in the Server's Memory/RAM (as opposed to
hard-disk)?
2) Each HTTP client would has its own session data (so a client cannot
access session data of another HTTP client)
3) Each Internet Explorer Window would share the same session (unless the
client start a new instance of IE for each window), so session data would
get corrupted
4) If I do a Session.Contents.RemoveAll(), I am only removing session data
for that particular HTTP client (and not all clients).
(Short of using some low-level tools to access the server's memory, can data
held in the Session be easily hackable, or at least as easily as selecting
records from a SQL Server database?)
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:O0**************@TK2MSFTNGP09.phx.gbl... In that scenario, nothing is completely secure.
Patrick wrote: Is stuffed stored in a Session *completely* uncompromisable/unhackable (even for someone with [admin] access to the server)? (A IIS5.0 Server on Win2K Pro SP4)?
"caulker" <ws*******@ucsd.edu> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... for confidential information (credit cards)... don't use hidden fields. dont' use querystring. use session or a db, it stays on the server, does not get passed to the client.
also when you redirect back to the first page, you can simply repopulate all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:%2****************@TK2MSFTNGP15.phx.gbl... I would try to avoid using Session, but if I were to use Session, would Session data be held in the server's memory/RAM?
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:eL**************@tk2msftngp13.phx.gbl... > I have two ASP pages > payment.asp: > For customers to fill in payment/card details (pre-populating > details if details submitted were invalid and user had to re-fill > in details) > > confirmorder.asp: > Display the credit card details in hidden fields and also the > order details from Database > > My question is > 1) If payment.asp submit to confirmorder.asp, then > 1.1) I could get confirmorder.asp to display card details in hidden > fields > BUT > 1.2) But if card details are invalid how could I return user to > payment.asp with card details prepopulated?? > 1.2.1) If I Response.Redirect, nothing would be pre-popualting > (unless I put in details in Query string, which is not what I > wanted for security reasons) > > 2) If payment.asp submit to payment.asp then > 2.1) I could get page to pre-populate details on payment.asp if > card details are invalid BUT > 2.2) How could I direct user to confirmorder.asp back to > payment.asp with details pre-populated > 1.2.2) If I Response.Redirect, hidden fields cannot be populated > by reading in Request.form!
-- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
Patrick wrote: But is it true that 1) Session data is held in the Server's Memory/RAM (as opposed to hard-disk)?
Yes, unless RAM runs out and the system has to start paging to disk.
2) Each HTTP client would has its own session data (so a client cannot access session data of another HTTP client)
Yes. But there are spoofing exploits that you should research and be
prepared for.
3) Each Internet Explorer Window would share the same session (unless the client start a new instance of IE for each window), so session data would get corrupted
Unless the window is opened by code in the page, each window opened by a
user will have its own session.
4) If I do a Session.Contents.RemoveAll(), I am only removing session data for that particular HTTP client (and not all clients).
Yes.. (Short of using some low-level tools to access the server's memory, can data held in the Session be easily hackable, or at least as easily as selecting records from a SQL Server database?)
No. Low-level tools are required. Transmission of confidential data should
of course be done via SSL. http://msdn.microsoft.com/library/en...ychecklist.asp http://msdn.microsoft.com/library/en...ngsessions.asp http://www.aspfaq.com/show.asp?id=2053
Bob Barrows "Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message news:O0**************@TK2MSFTNGP09.phx.gbl... In that scenario, nothing is completely secure.
Patrick wrote: Is stuffed stored in a Session *completely* uncompromisable/unhackable (even for someone with [admin] access to the server)? (A IIS5.0 Server on Win2K Pro SP4)?
"caulker" <ws*******@ucsd.edu> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... for confidential information (credit cards)... don't use hidden fields. dont' use querystring. use session or a db, it stays on the server, does not get passed to the client.
also when you redirect back to the first page, you can simply repopulate all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message news:%2****************@TK2MSFTNGP15.phx.gbl... > I would try to avoid using Session, but if I were to use Session, > would Session data be held in the server's memory/RAM? > > "Patrick" <pa**@reply.newsgroup.msn.com> wrote in message > news:eL**************@tk2msftngp13.phx.gbl... >> I have two ASP pages >> payment.asp: >> For customers to fill in payment/card details (pre-populating >> details if details submitted were invalid and user had to re-fill >> in details) >> >> confirmorder.asp: >> Display the credit card details in hidden fields and also the >> order details from Database >> >> My question is >> 1) If payment.asp submit to confirmorder.asp, then >> 1.1) I could get confirmorder.asp to display card details in >> hidden fields >> BUT >> 1.2) But if card details are invalid how could I return user to >> payment.asp with card details prepopulated?? >> 1.2.1) If I Response.Redirect, nothing would be pre-popualting >> (unless I put in details in Query string, which is not what I >> wanted for security reasons) >> >> 2) If payment.asp submit to payment.asp then >> 2.1) I could get page to pre-populate details on payment.asp if >> card details are invalid BUT >> 2.2) How could I direct user to confirmorder.asp back to >> payment.asp with details pre-populated >> 1.2.2) If I Response.Redirect, hidden fields cannot be populated >> by reading in Request.form!
-- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Why shouldn't secure data be stored in hidden fields on webpages when user
move from one page to another?
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl... Patrick wrote: But is it true that 1) Session data is held in the Server's Memory/RAM (as opposed to hard-disk)? Yes, unless RAM runs out and the system has to start paging to disk.
2) Each HTTP client would has its own session data (so a client cannot access session data of another HTTP client)
Yes. But there are spoofing exploits that you should research and be prepared for.
3) Each Internet Explorer Window would share the same session (unless the client start a new instance of IE for each window), so session data would get corrupted
Unless the window is opened by code in the page, each window opened by a user will have its own session.
4) If I do a Session.Contents.RemoveAll(), I am only removing session data for that particular HTTP client (and not all clients).
Yes..
(Short of using some low-level tools to access the server's memory, can data held in the Session be easily hackable, or at least as easily as selecting records from a SQL Server database?)
No. Low-level tools are required. Transmission of confidential data should of course be done via SSL.
http://msdn.microsoft.com/library/en...ychecklist.asp http://msdn.microsoft.com/library/en...ngsessions.asp
http://www.aspfaq.com/show.asp?id=2053
Bob Barrows
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message news:O0**************@TK2MSFTNGP09.phx.gbl... In that scenario, nothing is completely secure.
Patrick wrote: Is stuffed stored in a Session *completely* uncompromisable/unhackable (even for someone with [admin] access to the server)? (A IIS5.0 Server on Win2K Pro SP4)?
"caulker" <ws*******@ucsd.edu> wrote in message news:%2****************@TK2MSFTNGP10.phx.gbl... > for confidential information (credit cards)... > don't use hidden fields. > dont' use querystring. > use session or a db, it stays on the server, does not get passed to > the client. > > also when you redirect back to the first page, you can simply > repopulate all the necessary data fields. > > > "Patrick" <pa**@reply.newsgroup.msn.com> wrote in message > news:%2****************@TK2MSFTNGP15.phx.gbl... >> I would try to avoid using Session, but if I were to use Session, >> would Session data be held in the server's memory/RAM? >> >> "Patrick" <pa**@reply.newsgroup.msn.com> wrote in message >> news:eL**************@tk2msftngp13.phx.gbl... >>> I have two ASP pages >>> payment.asp: >>> For customers to fill in payment/card details (pre-populating >>> details if details submitted were invalid and user had to re-fill >>> in details) >>> >>> confirmorder.asp: >>> Display the credit card details in hidden fields and also the >>> order details from Database >>> >>> My question is >>> 1) If payment.asp submit to confirmorder.asp, then >>> 1.1) I could get confirmorder.asp to display card details in >>> hidden fields >>> BUT >>> 1.2) But if card details are invalid how could I return user to >>> payment.asp with card details prepopulated?? >>> 1.2.1) If I Response.Redirect, nothing would be pre-popualting >>> (unless I put in details in Query string, which is not what I >>> wanted for security reasons) >>> >>> 2) If payment.asp submit to payment.asp then >>> 2.1) I could get page to pre-populate details on payment.asp if >>> card details are invalid BUT >>> 2.2) How could I direct user to confirmorder.asp back to >>> payment.asp with details pre-populated >>> 1.2.2) If I Response.Redirect, hidden fields cannot be populated >>> by reading in Request.form!
-- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
-- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
Silly. Create a page with a hidden field. Set the field's value to some text
and load the page in your browser. Click View|Source
Bob Barrows
Patrick wrote: Why shouldn't secure data be stored in hidden fields on webpages when user move from one page to another?
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
So, a customer could "hack" their own credit card number, is that an issue?
Also in payment.asp, if invalid card details are entered, the user would be
taken back to the same page with card details pre-populated (for
corrections) anyway.
Also, the card number, Security number could be RC4 encrypted in the hidden
fields
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:uX**************@TK2MSFTNGP10.phx.gbl... Silly. Create a page with a hidden field. Set the field's value to some
text and load the page in your browser. Click View|Source
Bob Barrows
Patrick wrote: Why shouldn't secure data be stored in hidden fields on webpages when user move from one page to another? -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
No, a customer hacking his own number is not an issue. However, unless ssl
is used, this data is sent to the browser in clear text, making it
vulnerable to network sniffers. Also, pages are cached in the client,
allowing somebody with physical access to the machine to read the source
from the cache.
As for encryption, this could be an option, at the cost of adding extra
complexity.
You've reached the limit of my experience with security issues. Unless
someone else jumps in here, You may want to direct further questions to one
of the security newsgroups.
Bob Barrows
Patrick wrote: So, a customer could "hack" their own credit card number, is that an issue?
Also in payment.asp, if invalid card details are entered, the user would be taken back to the same page with card details pre-populated (for corrections) anyway.
Also, the card number, Security number could be RC4 encrypted in the hidden fields
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message news:uX**************@TK2MSFTNGP10.phx.gbl... Silly. Create a page with a hidden field. Set the field's value to some text and load the page in your browser. Click View|Source
Bob Barrows
Patrick wrote: Why shouldn't secure data be stored in hidden fields on webpages when user move from one page to another?
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Pages are sometimes cached locally. People sometimes walk away from public
computers without logging off the site (doh).
Help protect your customers and they will love (or at least not hate) you
for it.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:ek**************@TK2MSFTNGP11.phx.gbl... So, a customer could "hack" their own credit card number, is that an
issue? Also in payment.asp, if invalid card details are entered, the user would
be taken back to the same page with card details pre-populated (for corrections) anyway.
Also, the card number, Security number could be RC4 encrypted in the
hidden fields
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message news:uX**************@TK2MSFTNGP10.phx.gbl... Silly. Create a page with a hidden field. Set the field's value to some text and load the page in your browser. Click View|Source
Bob Barrows
Patrick wrote: Why shouldn't secure data be stored in hidden fields on webpages when user move from one page to another? -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:#d**************@TK2MSFTNGP09.phx.gbl... Why shouldn't secure data be stored in hidden fields on webpages when user move from one page to another?
Because hidden fields are revealed by a simple View Source in the browser. This discussion thread is closed Replies have been disabled for this discussion. Similar topics
1 post
views
Thread by Newbie |
last post: by
|
2 posts
views
Thread by Miguel Orrego |
last post: by
|
4 posts
views
Thread by Ryann |
last post: by
|
2 posts
views
Thread by Richard |
last post: by
|
27 posts
views
Thread by Oscar |
last post: by
|
reply
views
Thread by Rico Singleton |
last post: by
|
4 posts
views
Thread by David Freeman |
last post: by
|
1 post
views
Thread by williamroy |
last post: by
|
28 posts
views
Thread by Skeets |
last post: by
| | | | | | | | | | |