Passing fields from one page to another

I have two ASP pages
payment.asp:
For customers to fill in payment/card details (pre-populating details if
details submitted were invalid and user had to re-fill in details)

confirmorder.asp:
Display the credit card details in hidden fields and also the order details from Database

My question is
1) If payment.asp submit to confirmorder.asp, then
1.1) I could get confirmorder.asp to display card details in hidden fields
BUT
1.2) But if card details are invalid how could I return user to payment.asp with card details prepopulated??
1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I put in details in Query string, which is not what I wanted for security reasons)
2) If payment.asp submit to payment.asp then
2.1) I could get page to pre-populate details on payment.asp if card details are invalid BUT
2.2) How could I direct user to confirmorder.asp back to payment.asp with
details pre-populated
1.2.2) If I Response.Redirect, hidden fields cannot be populated by reading in Request.form!

I would try to avoid using Session, but if I were to use Session, would
Session data be held in the server's memory/RAM?

"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:eL**************@tk2msftngp13.phx.gbl...

I have two ASP pages
payment.asp:
For customers to fill in payment/card details (pre-populating details if
details submitted were invalid and user had to re-fill in details)

confirmorder.asp:
Display the credit card details in hidden fields and also the order

details

from Database

My question is
1) If payment.asp submit to confirmorder.asp, then
1.1) I could get confirmorder.asp to display card details in hidden
fields
BUT
1.2) But if card details are invalid how could I return user to

payment.asp

with card details prepopulated??
1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I

put

in details in Query string, which is not what I wanted for security

reasons)

2) If payment.asp submit to payment.asp then
2.1) I could get page to pre-populate details on payment.asp if card

details

are invalid BUT
2.2) How could I direct user to confirmorder.asp back to payment.asp with
details pre-populated
1.2.2) If I Response.Redirect, hidden fields cannot be populated by

reading

in Request.form!

for confidential information (credit cards)...
don't use hidden fields.
dont' use querystring.
use session or a db, it stays on the server, does not get passed to the
client.

also when you redirect back to the first page, you can simply repopulate all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl...

I would try to avoid using Session, but if I were to use Session, would
Session data be held in the server's memory/RAM?

"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:eL**************@tk2msftngp13.phx.gbl...

I have two ASP pages
payment.asp:
For customers to fill in payment/card details (pre-populating details if details submitted were invalid and user had to re-fill in details)

confirmorder.asp:
Display the credit card details in hidden fields and also the order

details

from Database

My question is
1) If payment.asp submit to confirmorder.asp, then
1.1) I could get confirmorder.asp to display card details in hidden
fields
BUT
1.2) But if card details are invalid how could I return user to

payment.asp

with card details prepopulated??
1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I

put

in details in Query string, which is not what I wanted for security

reasons)

2) If payment.asp submit to payment.asp then
2.1) I could get page to pre-populate details on payment.asp if card

details

are invalid BUT
2.2) How could I direct user to confirmorder.asp back to payment.asp

with details pre-populated
1.2.2) If I Response.Redirect, hidden fields cannot be populated by

reading

in Request.form!

Is stuffed stored in a Session *completely*
uncompromisable/unhackable (even for someone with [admin] access to
the server)? (A IIS5.0 Server on Win2K Pro SP4)?

"caulker" <ws*******@ucsd.edu> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

for confidential information (credit cards)...
don't use hidden fields.
dont' use querystring.
use session or a db, it stays on the server, does not get passed to
the client.

also when you redirect back to the first page, you can simply
repopulate all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl...

I would try to avoid using Session, but if I were to use Session,
would Session data be held in the server's memory/RAM?

"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:eL**************@tk2msftngp13.phx.gbl...
I have two ASP pages
payment.asp:
For customers to fill in payment/card details (pre-populating
details if details submitted were invalid and user had to re-fill
in details)

confirmorder.asp:
Display the credit card details in hidden fields and also the
order details from Database

My question is
1) If payment.asp submit to confirmorder.asp, then
1.1) I could get confirmorder.asp to display card details in hidden
fields
BUT
1.2) But if card details are invalid how could I return user to
payment.asp with card details prepopulated??
1.2.1) If I Response.Redirect, nothing would be pre-popualting
(unless I put in details in Query string, which is not what I
wanted for security reasons)

2) If payment.asp submit to payment.asp then
2.1) I could get page to pre-populate details on payment.asp if
card details are invalid BUT
2.2) How could I direct user to confirmorder.asp back to
payment.asp with details pre-populated
1.2.2) If I Response.Redirect, hidden fields cannot be populated
by reading in Request.form!

In that scenario, nothing is completely secure.

Patrick wrote:

Is stuffed stored in a Session *completely*
uncompromisable/unhackable (even for someone with [admin] access to
the server)? (A IIS5.0 Server on Win2K Pro SP4)?

"caulker" <ws*******@ucsd.edu> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

for confidential information (credit cards)...
don't use hidden fields.
dont' use querystring.
use session or a db, it stays on the server, does not get passed to
the client.

also when you redirect back to the first page, you can simply
repopulate all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl...
I would try to avoid using Session, but if I were to use Session,
would Session data be held in the server's memory/RAM?

"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:eL**************@tk2msftngp13.phx.gbl...
> I have two ASP pages
> payment.asp:
> For customers to fill in payment/card details (pre-populating
> details if details submitted were invalid and user had to re-fill
> in details)
>
> confirmorder.asp:
> Display the credit card details in hidden fields and also the
> order details from Database
>
> My question is
> 1) If payment.asp submit to confirmorder.asp, then
> 1.1) I could get confirmorder.asp to display card details in hidden
> fields
> BUT
> 1.2) But if card details are invalid how could I return user to
> payment.asp with card details prepopulated??
> 1.2.1) If I Response.Redirect, nothing would be pre-popualting
> (unless I put in details in Query string, which is not what I
> wanted for security reasons)
>
> 2) If payment.asp submit to payment.asp then
> 2.1) I could get page to pre-populate details on payment.asp if
> card details are invalid BUT
> 2.2) How could I direct user to confirmorder.asp back to
> payment.asp with details pre-populated
> 1.2.2) If I Response.Redirect, hidden fields cannot be populated
> by reading in Request.form!

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

But is it true that
1) Session data is held in the Server's Memory/RAM (as opposed to
hard-disk)?
Yes, unless RAM runs out and the system has to start paging to disk.
2) Each HTTP client would has its own session data (so a client cannot
access session data of another HTTP client)
Yes. But there are spoofing exploits that you should research and be
prepared for.
3) Each Internet Explorer Window would share the same session (unless
the client start a new instance of IE for each window), so session
data would get corrupted
Unless the window is opened by code in the page, each window opened by a
user will have its own session.
4) If I do a Session.Contents.RemoveAll(), I am only removing session
data for that particular HTTP client (and not all clients).
Yes..

(Short of using some low-level tools to access the server's memory,
can data held in the Session be easily hackable, or at least as
easily as selecting records from a SQL Server database?)
No. Low-level tools are required. Transmission of confidential data should
of course be done via SSL.

http://msdn.microsoft.com/library/en...ychecklist.asp

http://msdn.microsoft.com/library/en...ngsessions.asp

http://www.aspfaq.com/show.asp?id=2053

Bob Barrows


"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:O0**************@TK2MSFTNGP09.phx.gbl...

In that scenario, nothing is completely secure.

Patrick wrote:

Is stuffed stored in a Session *completely*
uncompromisable/unhackable (even for someone with [admin] access to
the server)? (A IIS5.0 Server on Win2K Pro SP4)?

"caulker" <ws*******@ucsd.edu> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
for confidential information (credit cards)...
don't use hidden fields.
dont' use querystring.
use session or a db, it stays on the server, does not get passed to
the client.

also when you redirect back to the first page, you can simply
repopulate all the necessary data fields.
"Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl...
> I would try to avoid using Session, but if I were to use Session,
> would Session data be held in the server's memory/RAM?
>
> "Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
> news:eL**************@tk2msftngp13.phx.gbl...
>> I have two ASP pages
>> payment.asp:
>> For customers to fill in payment/card details (pre-populating
>> details if details submitted were invalid and user had to re-fill
>> in details)
>>
>> confirmorder.asp:
>> Display the credit card details in hidden fields and also the
>> order details from Database
>>
>> My question is
>> 1) If payment.asp submit to confirmorder.asp, then
>> 1.1) I could get confirmorder.asp to display card details in
>> hidden fields
>> BUT
>> 1.2) But if card details are invalid how could I return user to
>> payment.asp with card details prepopulated??
>> 1.2.1) If I Response.Redirect, nothing would be pre-popualting
>> (unless I put in details in Query string, which is not what I
>> wanted for security reasons)
>>
>> 2) If payment.asp submit to payment.asp then
>> 2.1) I could get page to pre-populate details on payment.asp if
>> card details are invalid BUT
>> 2.2) How could I direct user to confirmorder.asp back to
>> payment.asp with details pre-populated
>> 1.2.2) If I Response.Redirect, hidden fields cannot be populated
>> by reading in Request.form!

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so
I don't check it very often. If you must reply off-line, then remove
the "NO SPAM"

Patrick wrote:

But is it true that
1) Session data is held in the Server's Memory/RAM (as opposed to
hard-disk)?
Yes, unless RAM runs out and the system has to start paging to disk.

2) Each HTTP client would has its own session data (so a client cannot
access session data of another HTTP client)

Yes. But there are spoofing exploits that you should research and be
prepared for.

3) Each Internet Explorer Window would share the same session (unless
the client start a new instance of IE for each window), so session
data would get corrupted

Unless the window is opened by code in the page, each window opened by a
user will have its own session.

4) If I do a Session.Contents.RemoveAll(), I am only removing session
data for that particular HTTP client (and not all clients).

Yes..

(Short of using some low-level tools to access the server's memory,
can data held in the Session be easily hackable, or at least as
easily as selecting records from a SQL Server database?)

No. Low-level tools are required. Transmission of confidential data should
of course be done via SSL.

http://msdn.microsoft.com/library/en...ychecklist.asp
http://msdn.microsoft.com/library/en...ngsessions.asp

http://www.aspfaq.com/show.asp?id=2053

Bob Barrows

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:O0**************@TK2MSFTNGP09.phx.gbl...

In that scenario, nothing is completely secure.

Patrick wrote:
Is stuffed stored in a Session *completely*
uncompromisable/unhackable (even for someone with [admin] access to
the server)? (A IIS5.0 Server on Win2K Pro SP4)?

"caulker" <ws*******@ucsd.edu> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
> for confidential information (credit cards)...
> don't use hidden fields.
> dont' use querystring.
> use session or a db, it stays on the server, does not get passed to
> the client.
>
> also when you redirect back to the first page, you can simply
> repopulate all the necessary data fields.
>
>
> "Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
> news:%2****************@TK2MSFTNGP15.phx.gbl...
>> I would try to avoid using Session, but if I were to use Session,
>> would Session data be held in the server's memory/RAM?
>>
>> "Patrick" <pa**@reply.newsgroup.msn.com> wrote in message
>> news:eL**************@tk2msftngp13.phx.gbl...
>>> I have two ASP pages
>>> payment.asp:
>>> For customers to fill in payment/card details (pre-populating
>>> details if details submitted were invalid and user had to re-fill
>>> in details)
>>>
>>> confirmorder.asp:
>>> Display the credit card details in hidden fields and also the
>>> order details from Database
>>>
>>> My question is
>>> 1) If payment.asp submit to confirmorder.asp, then
>>> 1.1) I could get confirmorder.asp to display card details in
>>> hidden fields
>>> BUT
>>> 1.2) But if card details are invalid how could I return user to
>>> payment.asp with card details prepopulated??
>>> 1.2.1) If I Response.Redirect, nothing would be pre-popualting
>>> (unless I put in details in Query string, which is not what I
>>> wanted for security reasons)
>>>
>>> 2) If payment.asp submit to payment.asp then
>>> 2.1) I could get page to pre-populate details on payment.asp if
>>> card details are invalid BUT
>>> 2.2) How could I direct user to confirmorder.asp back to
>>> payment.asp with details pre-populated
>>> 1.2.2) If I Response.Redirect, hidden fields cannot be populated
>>> by reading in Request.form!

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so
I don't check it very often. If you must reply off-line, then remove
the "NO SPAM"

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Why shouldn't secure data be stored in hidden fields on webpages when
user move from one page to another?

Silly. Create a page with a hidden field. Set the field's value to some text and load the page in your browser. Click View|Source

Bob Barrows

Patrick wrote:

Why shouldn't secure data be stored in hidden fields on webpages when
user move from one page to another?

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

So, a customer could "hack" their own credit card number, is that an
issue?

Also in payment.asp, if invalid card details are entered, the user
would be taken back to the same page with card details pre-populated
(for corrections) anyway.

Also, the card number, Security number could be RC4 encrypted in the
hidden fields

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:uX**************@TK2MSFTNGP10.phx.gbl...

Silly. Create a page with a hidden field. Set the field's value to
some text and load the page in your browser. Click View|Source

Bob Barrows

Patrick wrote:

Why shouldn't secure data be stored in hidden fields on webpages
when user move from one page to another?

So, a customer could "hack" their own credit card number, is that an issue?
Also in payment.asp, if invalid card details are entered, the user would be taken back to the same page with card details pre-populated (for
corrections) anyway.

Also, the card number, Security number could be RC4 encrypted in the hidden fields

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:uX**************@TK2MSFTNGP10.phx.gbl...

Silly. Create a page with a hidden field. Set the field's value to some

text

and load the page in your browser. Click View|Source

Bob Barrows

Patrick wrote:

Why shouldn't secure data be stored in hidden fields on webpages when
user move from one page to another?

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Why shouldn't secure data be stored in hidden fields on webpages when user
move from one page to another?