Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > are server variables secure?

Reply
Thread Tools

are server variables secure?

 
 
wolfing1@gmail.com
Guest
Posts: n/a
 
      07-18-2006
I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to page
B? My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and so
is passing info through request.querystring, so I was thinking on using
session variables for this, but not sure if it's safe.
What should I do?

 
Reply With Quote
 
 
 
 
wolfing1@gmail.com
Guest
Posts: n/a
 
      07-19-2006

http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> I'm working on a shopping cart page. In page A (checkout) the user
> enters their credit card information. On postback, if everything is
> correct, it sends the user to page B (confirmation). My question is,
> can I (or should I) use server variables to send CC information to page
> B? My boss doesn't want me to store this information in the SQL
> database we're using. Obviously cookies are out of the question and so
> is passing info through request.querystring, so I was thinking on using
> session variables for this, but not sure if it's safe.
> What should I do?

Anything at all?

 
Reply With Quote
 
 
 
 
Bob Barrows [MVP]
Guest
Posts: n/a
 
      07-19-2006
(E-Mail Removed) wrote:
> I'm working on a shopping cart page. In page A (checkout) the user
> enters their credit card information. On postback, if everything is
> correct, it sends the user to page B (confirmation). My question is,
> can I (or should I) use server variables to send CC information to
> page B? My boss doesn't want me to store this information in the SQL
> database we're using.


Legalities?

> Obviously cookies are out of the question and
> so is passing info through request.querystring, so I was thinking on
> using session variables for this, but not sure if it's safe.
> What should I do?

Really can't add to this:
http://www.velocityreviews.com/forum...variables.html

More via this search:
http://www.google.com/search?hl=en&l...secure%3F+-php

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


 
Reply With Quote
 
Bob Barrows [MVP]
Guest
Posts: n/a
 
      07-19-2006
(E-Mail Removed) wrote:
> I'm working on a shopping cart page. In page A (checkout) the user
> enters their credit card information. On postback, if everything is
> correct, it sends the user to page B (confirmation). My question is,
> can I (or should I) use server variables to send CC information to
> page B? My boss doesn't want me to store this information in the SQL
> database we're using. Obviously cookies are out of the question and
> so is passing info through request.querystring, so I was thinking on
> using session variables for this, but not sure if it's safe.
> What should I do?

More:
http://support.microsoft.com/kb/274149/
http://searchsecurity.techtarget.com...171079,00.html
http://www.microsoft.com/technet/tec...g/default.aspx
http://www.google.com/search?hl=en&l...session+hijack

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


 
Reply With Quote
 
wolfing1@gmail.com
Guest
Posts: n/a
 
      07-19-2006

Bob Barrows [MVP] wrote:
> (E-Mail Removed) wrote:
> > I'm working on a shopping cart page. In page A (checkout) the user
> > enters their credit card information. On postback, if everything is
> > correct, it sends the user to page B (confirmation). My question is,
> > can I (or should I) use server variables to send CC information to
> > page B? My boss doesn't want me to store this information in the SQL
> > database we're using. Obviously cookies are out of the question and
> > so is passing info through request.querystring, so I was thinking on
> > using session variables for this, but not sure if it's safe.
> > What should I do?

> More:
> http://support.microsoft.com/kb/274149/
> http://searchsecurity.techtarget.com...171079,00.html
> http://www.microsoft.com/technet/tec...g/default.aspx
> http://www.google.com/search?hl=en&l...session+hijack
>

Interesting reads thank you. I didn't understand how a malicious user
could 'read' the session variables even if they spoofed the session ID,
unless I am presenting them back which I am not (i.e. from 'checkout'
page I set the server variables, and then do a response.redirect to a
'confirmation' page which pretty much only says 'you sure you want to
place the order for $x ?). Now, if in this confirmation page I showed
the credit card info, then yes I see how it could be unsafe, but
without showing it... I didn't see how someone could get server
variables with a spoofed session ID.

 
Reply With Quote
 
Bob Barrows [MVP]
Guest
Posts: n/a
 
      07-19-2006
(E-Mail Removed) wrote:
> Bob Barrows [MVP] wrote:
>> (E-Mail Removed) wrote:
>>> I'm working on a shopping cart page. In page A (checkout) the user
>>> enters their credit card information. On postback, if everything is
>>> correct, it sends the user to page B (confirmation). My question is,
>>> can I (or should I) use server variables to send CC information to
>>> page B? My boss doesn't want me to store this information in the
>>> SQL database we're using. Obviously cookies are out of the
>>> question and so is passing info through request.querystring, so I
>>> was thinking on using session variables for this, but not sure if
>>> it's safe.
>>> What should I do?

>> More:
>> http://support.microsoft.com/kb/274149/
>>

http://searchsecurity.techtarget.com...171079,00.html
>>

http://www.microsoft.com/technet/tec...g/default.aspx
>>

http://www.google.com/search?hl=en&l...session+hijack
>>

> Interesting reads thank you. I didn't understand how a malicious user
> could 'read' the session variables even if they spoofed the session
> ID, unless I am presenting them back which I am not (i.e. from
> 'checkout' page I set the server variables, and then do a
> response.redirect to a 'confirmation' page which pretty much only
> says 'you sure you want to place the order for $x ?). Now, if in
> this confirmation page I showed the credit card info, then yes I see
> how it could be unsafe, but without showing it... I didn't see how
> someone could get server variables with a spoofed session ID.


As you say, as long as you are not sending it back to the client, then
you are secure.
That's the motivation of the sites like Paypal, which only display the
last 4 digits when asking the user to confirm/select the credit card
that should be used for a transaction.

If a hacker gains access to your server and plants a file that dumps all
the session variable values, then he can spoof a session and call that
file.
Of course, if that happens you'll have a lot more problems as well ....

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Put variables into member variables or function variables? tjumail@gmail.com C++ 9 03-23-2008 04:03 PM
Session Variables and Static Variables cobus.lombard@gmail.com ASP .Net 1 03-26-2006 11:05 AM
Server to server = Server client to server? - Java 2 07-29-2005 10:46 PM
Accessing class member variables - properties or variables? dwok Java 7 03-04-2005 03:54 AM
Re: Class public shared Variables vs. Application Variables in ASP.NET avnrao ASP .Net 0 05-07-2004 05:28 AM



Advertisments