are server variables secure?

Discussion in 'ASP General' started by wolfing1@gmail.com, Jul 18, 2006.

  1. Guest

    I'm working on a shopping cart page. In page A (checkout) the user
    enters their credit card information. On postback, if everything is
    correct, it sends the user to page B (confirmation). My question is,
    can I (or should I) use server variables to send CC information to page
    B? My boss doesn't want me to store this information in the SQL
    database we're using. Obviously cookies are out of the question and so
    is passing info through request.querystring, so I was thinking on using
    session variables for this, but not sure if it's safe.
    What should I do?
    , Jul 18, 2006
    #1
    1. Advertising

  2. Guest

    wrote:
    > I'm working on a shopping cart page. In page A (checkout) the user
    > enters their credit card information. On postback, if everything is
    > correct, it sends the user to page B (confirmation). My question is,
    > can I (or should I) use server variables to send CC information to page
    > B? My boss doesn't want me to store this information in the SQL
    > database we're using. Obviously cookies are out of the question and so
    > is passing info through request.querystring, so I was thinking on using
    > session variables for this, but not sure if it's safe.
    > What should I do?

    Anything at all?
    , Jul 19, 2006
    #2
    1. Advertising

  3. wrote:
    > I'm working on a shopping cart page. In page A (checkout) the user
    > enters their credit card information. On postback, if everything is
    > correct, it sends the user to page B (confirmation). My question is,
    > can I (or should I) use server variables to send CC information to
    > page B? My boss doesn't want me to store this information in the SQL
    > database we're using.


    Legalities?

    > Obviously cookies are out of the question and
    > so is passing info through request.querystring, so I was thinking on
    > using session variables for this, but not sure if it's safe.
    > What should I do?

    Really can't add to this:
    http://www.velocityreviews.com/forums/t90777-how-secure-are-session-variables.html

    More via this search:
    http://www.google.com/search?hl=en&...,GGLD:en&q=Are session variables secure? -php

    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Jul 19, 2006
    #3
  4. wrote:
    > I'm working on a shopping cart page. In page A (checkout) the user
    > enters their credit card information. On postback, if everything is
    > correct, it sends the user to page B (confirmation). My question is,
    > can I (or should I) use server variables to send CC information to
    > page B? My boss doesn't want me to store this information in the SQL
    > database we're using. Obviously cookies are out of the question and
    > so is passing info through request.querystring, so I was thinking on
    > using session variables for this, but not sure if it's safe.
    > What should I do?

    More:
    http://support.microsoft.com/kb/274149/
    http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1171079,00.html
    http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx
    http://www.google.com/search?hl=en&lr=&c2coff=1&rls=GGLD,GGLD:2005-37,GGLD:en&q=session hijack

    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Jul 19, 2006
    #4
  5. Guest

    Bob Barrows [MVP] wrote:
    > wrote:
    > > I'm working on a shopping cart page. In page A (checkout) the user
    > > enters their credit card information. On postback, if everything is
    > > correct, it sends the user to page B (confirmation). My question is,
    > > can I (or should I) use server variables to send CC information to
    > > page B? My boss doesn't want me to store this information in the SQL
    > > database we're using. Obviously cookies are out of the question and
    > > so is passing info through request.querystring, so I was thinking on
    > > using session variables for this, but not sure if it's safe.
    > > What should I do?

    > More:
    > http://support.microsoft.com/kb/274149/
    > http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1171079,00.html
    > http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx
    > http://www.google.com/search?hl=en&lr=&c2coff=1&rls=GGLD,GGLD:2005-37,GGLD:en&q=session hijack
    >

    Interesting reads thank you. I didn't understand how a malicious user
    could 'read' the session variables even if they spoofed the session ID,
    unless I am presenting them back which I am not (i.e. from 'checkout'
    page I set the server variables, and then do a response.redirect to a
    'confirmation' page which pretty much only says 'you sure you want to
    place the order for $x ?). Now, if in this confirmation page I showed
    the credit card info, then yes I see how it could be unsafe, but
    without showing it... I didn't see how someone could get server
    variables with a spoofed session ID.
    , Jul 19, 2006
    #5
  6. wrote:
    > Bob Barrows [MVP] wrote:
    >> wrote:
    >>> I'm working on a shopping cart page. In page A (checkout) the user
    >>> enters their credit card information. On postback, if everything is
    >>> correct, it sends the user to page B (confirmation). My question is,
    >>> can I (or should I) use server variables to send CC information to
    >>> page B? My boss doesn't want me to store this information in the
    >>> SQL database we're using. Obviously cookies are out of the
    >>> question and so is passing info through request.querystring, so I
    >>> was thinking on using session variables for this, but not sure if
    >>> it's safe.
    >>> What should I do?

    >> More:
    >> http://support.microsoft.com/kb/274149/
    >>

    http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1171079,00.html
    >>

    http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx
    >>

    http://www.google.com/search?hl=en&lr=&c2coff=1&rls=GGLD,GGLD:2005-37,GGLD:en&q=session hijack
    >>

    > Interesting reads thank you. I didn't understand how a malicious user
    > could 'read' the session variables even if they spoofed the session
    > ID, unless I am presenting them back which I am not (i.e. from
    > 'checkout' page I set the server variables, and then do a
    > response.redirect to a 'confirmation' page which pretty much only
    > says 'you sure you want to place the order for $x ?). Now, if in
    > this confirmation page I showed the credit card info, then yes I see
    > how it could be unsafe, but without showing it... I didn't see how
    > someone could get server variables with a spoofed session ID.


    As you say, as long as you are not sending it back to the client, then
    you are secure.
    That's the motivation of the sites like Paypal, which only display the
    last 4 digits when asking the user to confirm/select the credit card
    that should be used for a transaction.

    If a hacker gains access to your server and plants a file that dumps all
    the session variable values, then he can spoof a session and call that
    file.
    Of course, if that happens you'll have a lot more problems as well ....

    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Jul 19, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,419
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    545
    Daniel Malcolm
    Jan 24, 2005
  3. zdrakec
    Replies:
    1
    Views:
    427
    zdrakec
    Jul 25, 2005
  4. Joe
    Replies:
    5
    Views:
    945
    Steven Cheng[MSFT]
    Dec 13, 2005
  5. verbal kint
    Replies:
    1
    Views:
    540
    Sudsy
    Sep 4, 2004
Loading...

Share This Page