|
it
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
are server variables secure?
I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is correct, it sends the user to page B (confirmation). My question is, can I (or should I) use server variables to send CC information to page B? My boss doesn't want me to store this information in the SQL database we're using. Obviously cookies are out of the question and so is passing info through request.querystring, so I was thinking on using session variables for this, but not sure if it's safe. What should I do? wolfi***@gmail.com wrote:
> I'm working on a shopping cart page. In page A (checkout) the user Anything at all?> enters their credit card information. On postback, if everything is > correct, it sends the user to page B (confirmation). My question is, > can I (or should I) use server variables to send CC information to page > B? My boss doesn't want me to store this information in the SQL > database we're using. Obviously cookies are out of the question and so > is passing info through request.querystring, so I was thinking on using > session variables for this, but not sure if it's safe. > What should I do? wolfi***@gmail.com wrote:
> I'm working on a shopping cart page. In page A (checkout) the user Legalities?> enters their credit card information. On postback, if everything is > correct, it sends the user to page B (confirmation). My question is, > can I (or should I) use server variables to send CC information to > page B? My boss doesn't want me to store this information in the SQL > database we're using. > Obviously cookies are out of the question and Really can't add to this:> so is passing info through request.querystring, so I was thinking on > using session variables for this, but not sure if it's safe. > What should I do? http://www.velocityreviews.com/forums/t90777-how-secure-are-session-variables.html More via this search: http://www.google.com/search?hl=en&lr=&c2coff=1&rls=GGLD%2CGGLD%3A2005-37%2CGGLD%3Aen&q=Are+session+variables+secure%3F+-php -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup. wolfi***@gmail.com wrote:
> I'm working on a shopping cart page. In page A (checkout) the user http://support.microsoft.com/kb/274149/> enters their credit card information. On postback, if everything is > correct, it sends the user to page B (confirmation). My question is, > can I (or should I) use server variables to send CC information to > page B? My boss doesn't want me to store this information in the SQL > database we're using. Obviously cookies are out of the question and > so is passing info through request.querystring, so I was thinking on > using session variables for this, but not sure if it's safe. > What should I do? More: http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1171079,00.html http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx http://www.google.com/search?hl=en&lr=&c2coff=1&rls=GGLD%2CGGLD%3A2005-37%2CGGLD%3Aen&q=session+hijack -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup. Bob Barrows [MVP] wrote:
Show quote > wolfi***@gmail.com wrote: Interesting reads thank you. I didn't understand how a malicious user> > I'm working on a shopping cart page. In page A (checkout) the user > > enters their credit card information. On postback, if everything is > > correct, it sends the user to page B (confirmation). My question is, > > can I (or should I) use server variables to send CC information to > > page B? My boss doesn't want me to store this information in the SQL > > database we're using. Obviously cookies are out of the question and > > so is passing info through request.querystring, so I was thinking on > > using session variables for this, but not sure if it's safe. > > What should I do? > More: > http://support.microsoft.com/kb/274149/ > http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1171079,00.html > http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx > http://www.google.com/search?hl=en&lr=&c2coff=1&rls=GGLD%2CGGLD%3A2005-37%2CGGLD%3Aen&q=session+hijack > could 'read' the session variables even if they spoofed the session ID, unless I am presenting them back which I am not (i.e. from 'checkout' page I set the server variables, and then do a response.redirect to a 'confirmation' page which pretty much only says 'you sure you want to place the order for $x ?). Now, if in this confirmation page I showed the credit card info, then yes I see how it could be unsafe, but without showing it... I didn't see how someone could get server variables with a spoofed session ID. wolfi***@gmail.com wrote:
Show quote > Bob Barrows [MVP] wrote: http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1171079,00.html>> wolfi***@gmail.com wrote: >>> I'm working on a shopping cart page. In page A (checkout) the user >>> enters their credit card information. On postback, if everything is >>> correct, it sends the user to page B (confirmation). My question is, >>> can I (or should I) use server variables to send CC information to >>> page B? My boss doesn't want me to store this information in the >>> SQL database we're using. Obviously cookies are out of the >>> question and so is passing info through request.querystring, so I >>> was thinking on using session variables for this, but not sure if >>> it's safe. >>> What should I do? >> More: >> http://support.microsoft.com/kb/274149/ >> >> http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx>> http://www.google.com/search?hl=en&lr=&c2coff=1&rls=GGLD%2CGGLD%3A2005-37%2CGGLD%3Aen&q=session+hijack>> As you say, as long as you are not sending it back to the client, then> Interesting reads thank you. I didn't understand how a malicious user > could 'read' the session variables even if they spoofed the session > ID, unless I am presenting them back which I am not (i.e. from > 'checkout' page I set the server variables, and then do a > response.redirect to a 'confirmation' page which pretty much only > says 'you sure you want to place the order for $x ?). Now, if in > this confirmation page I showed the credit card info, then yes I see > how it could be unsafe, but without showing it... I didn't see how > someone could get server variables with a spoofed session ID. you are secure. That's the motivation of the sites like Paypal, which only display the last 4 digits when asking the user to confirm/select the credit card that should be used for a transaction. If a hacker gains access to your server and plants a file that dumps all the session variable values, then he can spoof a session and call that file. Of course, if that happens you'll have a lot more problems as well .... -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.  |
|||||||||||||||||||||||
Other interesting topics