|
are server variables secure?
I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is correct, it sends the user to page B (confirmation). My question is, can I (or should I) use server variables to send CC information to page B? My boss doesn't want me to store this information in the SQL database we're using. Obviously cookies are out of the question and so is passing info through request.querystring, so I was thinking on using session variables for this, but not sure if it's safe. What should I do? |
Re: are server variables secure?
wolfing1@gmail.com wrote: > I'm working on a shopping cart page. In page A (checkout) the user > enters their credit card information. On postback, if everything is > correct, it sends the user to page B (confirmation). My question is, > can I (or should I) use server variables to send CC information to page > B? My boss doesn't want me to store this information in the SQL > database we're using. Obviously cookies are out of the question and so > is passing info through request.querystring, so I was thinking on using > session variables for this, but not sure if it's safe. > What should I do? Anything at all? |
Re: are server variables secure?
wolfing1@gmail.com wrote:
> I'm working on a shopping cart page. In page A (checkout) the user > enters their credit card information. On postback, if everything is > correct, it sends the user to page B (confirmation). My question is, > can I (or should I) use server variables to send CC information to > page B? My boss doesn't want me to store this information in the SQL > database we're using. Legalities? > Obviously cookies are out of the question and > so is passing info through request.querystring, so I was thinking on > using session variables for this, but not sure if it's safe. > What should I do? Really can't add to this: http://www.velocityreviews.com/forum...variables.html More via this search: http://www.google.com/search?hl=en&l...secure%3F+-php -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup. |
Re: are server variables secure?
wolfing1@gmail.com wrote:
> I'm working on a shopping cart page. In page A (checkout) the user > enters their credit card information. On postback, if everything is > correct, it sends the user to page B (confirmation). My question is, > can I (or should I) use server variables to send CC information to > page B? My boss doesn't want me to store this information in the SQL > database we're using. Obviously cookies are out of the question and > so is passing info through request.querystring, so I was thinking on > using session variables for this, but not sure if it's safe. > What should I do? More: http://support.microsoft.com/kb/274149/ http://searchsecurity.techtarget.com...171079,00.html http://www.microsoft.com/technet/tec...g/default.aspx http://www.google.com/search?hl=en&l...session+hijack -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup. |
Re: are server variables secure?
Bob Barrows [MVP] wrote: > wolfing1@gmail.com wrote: > > I'm working on a shopping cart page. In page A (checkout) the user > > enters their credit card information. On postback, if everything is > > correct, it sends the user to page B (confirmation). My question is, > > can I (or should I) use server variables to send CC information to > > page B? My boss doesn't want me to store this information in the SQL > > database we're using. Obviously cookies are out of the question and > > so is passing info through request.querystring, so I was thinking on > > using session variables for this, but not sure if it's safe. > > What should I do? > More: > http://support.microsoft.com/kb/274149/ > http://searchsecurity.techtarget.com...171079,00.html > http://www.microsoft.com/technet/tec...g/default.aspx > http://www.google.com/search?hl=en&l...session+hijack > Interesting reads thank you. I didn't understand how a malicious user could 'read' the session variables even if they spoofed the session ID, unless I am presenting them back which I am not (i.e. from 'checkout' page I set the server variables, and then do a response.redirect to a 'confirmation' page which pretty much only says 'you sure you want to place the order for $x ?). Now, if in this confirmation page I showed the credit card info, then yes I see how it could be unsafe, but without showing it... I didn't see how someone could get server variables with a spoofed session ID. |
Re: are server variables secure?
wolfing1@gmail.com wrote:
> Bob Barrows [MVP] wrote: >> wolfing1@gmail.com wrote: >>> I'm working on a shopping cart page. In page A (checkout) the user >>> enters their credit card information. On postback, if everything is >>> correct, it sends the user to page B (confirmation). My question is, >>> can I (or should I) use server variables to send CC information to >>> page B? My boss doesn't want me to store this information in the >>> SQL database we're using. Obviously cookies are out of the >>> question and so is passing info through request.querystring, so I >>> was thinking on using session variables for this, but not sure if >>> it's safe. >>> What should I do? >> More: >> http://support.microsoft.com/kb/274149/ >> http://searchsecurity.techtarget.com...171079,00.html >> http://www.microsoft.com/technet/tec...g/default.aspx >> http://www.google.com/search?hl=en&l...session+hijack >> > Interesting reads thank you. I didn't understand how a malicious user > could 'read' the session variables even if they spoofed the session > ID, unless I am presenting them back which I am not (i.e. from > 'checkout' page I set the server variables, and then do a > response.redirect to a 'confirmation' page which pretty much only > says 'you sure you want to place the order for $x ?). Now, if in > this confirmation page I showed the credit card info, then yes I see > how it could be unsafe, but without showing it... I didn't see how > someone could get server variables with a spoofed session ID. As you say, as long as you are not sending it back to the client, then you are secure. That's the motivation of the sites like Paypal, which only display the last 4 digits when asking the user to confirm/select the credit card that should be used for a transaction. If a hacker gains access to your server and plants a file that dumps all the session variable values, then he can spoof a session and call that file. Of course, if that happens you'll have a lot more problems as well .... -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup. |
| All times are GMT. The time now is 05:00 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.