I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to page
B? My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and so
is passing info through request.querystring, so I was thinking on using
session variables for this, but not sure if it's safe.
What should I do? 5 1902 wo******@gmail.com wrote:
I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to page
B? My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and so
is passing info through request.querystring, so I was thinking on using
session variables for this, but not sure if it's safe.
What should I do?
Anything at all? wo******@gmail.com wrote:
I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to
page B? My boss doesn't want me to store this information in the SQL
database we're using.
Legalities?
Obviously cookies are out of the question and
so is passing info through request.querystring, so I was thinking on
using session variables for this, but not sure if it's safe.
What should I do?
Really can't add to this: http://www.velocityreviews.com/forum...variables.html
More via this search: http://www.google.com/search?hl=en&l...secure%3F+-php
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Bob Barrows [MVP] wrote:
wo******@gmail.com wrote:
I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to
page B? My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and
so is passing info through request.querystring, so I was thinking on
using session variables for this, but not sure if it's safe.
What should I do?
More: http://support.microsoft.com/kb/274149/ http://searchsecurity.techtarget.com...171079,00.html http://www.microsoft.com/technet/tec...g/default.aspx http://www.google.com/search?hl=en&l...session+hijack
Interesting reads thank you. I didn't understand how a malicious user
could 'read' the session variables even if they spoofed the session ID,
unless I am presenting them back which I am not (i.e. from 'checkout'
page I set the server variables, and then do a response.redirect to a
'confirmation' page which pretty much only says 'you sure you want to
place the order for $x ?). Now, if in this confirmation page I showed
the credit card info, then yes I see how it could be unsafe, but
without showing it... I didn't see how someone could get server
variables with a spoofed session ID. wo******@gmail.com wrote:
Bob Barrows [MVP] wrote:
>wo******@gmail.com wrote:
>>I'm working on a shopping cart page. In page A (checkout) the user enters their credit card information. On postback, if everything is correct, it sends the user to page B (confirmation). My question is, can I (or should I) use server variables to send CC information to page B? My boss doesn't want me to store this information in the SQL database we're using. Obviously cookies are out of the question and so is passing info through request.querystring, so I was thinking on using session variables for this, but not sure if it's safe. What should I do?
More: http://support.microsoft.com/kb/274149/ http://searchsecurity.techtarget.com...171079,00.html
>>
http://www.microsoft.com/technet/tec...g/default.aspx
>>
http://www.google.com/search?hl=en&l...session+hijack
>>
Interesting reads thank you. I didn't understand how a malicious user
could 'read' the session variables even if they spoofed the session
ID, unless I am presenting them back which I am not (i.e. from
'checkout' page I set the server variables, and then do a
response.redirect to a 'confirmation' page which pretty much only
says 'you sure you want to place the order for $x ?). Now, if in
this confirmation page I showed the credit card info, then yes I see
how it could be unsafe, but without showing it... I didn't see how
someone could get server variables with a spoofed session ID.
As you say, as long as you are not sending it back to the client, then
you are secure.
That's the motivation of the sites like Paypal, which only display the
last 4 digits when asking the user to confirm/select the credit card
that should be used for a transaction.
If a hacker gains access to your server and plants a file that dumps all
the session variable values, then he can spoof a session and call that
file.
Of course, if that happens you'll have a lot more problems as well ....
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: VB Programmer |
last post by:
I often use session variables to store the user's security level, and other
important info. How secure are session variables? Can someone decrypt it
and get the information? (This would be...
|
by: Rob |
last post by:
I have a simple piece of code which is being difficult.
I have a web page (in classic asp) that will redirect to a login page if
they didn't come from that page.
Which means that they have to...
|
by: Calvin KD |
last post by:
Hi everyone,
I don't know if there's anyone out there is having the same problem. My
DotNet 1.1 version uses FormsAuthentication.RedirectFromLoginPage() method to
take user from the Login page to...
|
by: Japhy |
last post by:
Hello,
I need to save values typed into forms across several scripts, before
the user actually 'submits' the form to update the mysql db.
I have been exploring ways to do this, and looking for...
|
by: David Whitchurch-Bennett |
last post by:
Hi There,
I have created a very simple web user control, containing only a combo box.
I have created a class which contains some private object variables, for
example...
Private _anObject as...
|
by: Bishop |
last post by:
Here is my situation. I'm building a web based store that will use the same
code base for every store using host headers to determine which data to
display. To prevent purchasing a SSL Cert for...
|
by: Adrian Parker |
last post by:
Have two domains, which are non-trusted.. and will never be I've been told.
Users on one domain need to access a website on the other domain, but don't
want to have to enter any credentials as...
|
by: Chenky |
last post by:
Hi all,
I'm not a overly experienced PHP programmer but I like to dabble and
I'm working on a 'semi-secure' member's area. Previous I have used
normal variables to determine the validity of a...
|
by: Dan |
last post by:
I have a datagrid in ASP.NET 1.1
When selecting a particular row, it should divert to another aspx page
and allow me to edit details about that selected row.
What do people feel is the best...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |