are server variables secure?

W

wolfing1

I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to page
B? My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and so
is passing info through request.querystring, so I was thinking on using
session variables for this, but not sure if it's safe.
What should I do?
 
W

wolfing1

I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to page
B? My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and so
is passing info through request.querystring, so I was thinking on using
session variables for this, but not sure if it's safe.
What should I do?
Anything at all?
 
B

Bob Barrows [MVP]

I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to
page B? My boss doesn't want me to store this information in the SQL
database we're using.
Legalities?

Obviously cookies are out of the question and
so is passing info through request.querystring, so I was thinking on
using session variables for this, but not sure if it's safe.
What should I do?
Really can't add to this:
http://www.velocityreviews.com/forums/t90777-how-secure-are-session-variables.html

More via this search:
http://www.google.com/search?hl=en&...,GGLD:en&q=Are+session+variables+secure?+-php
 
B

Bob Barrows [MVP]

I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to
page B? My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and
so is passing info through request.querystring, so I was thinking on
using session variables for this, but not sure if it's safe.
What should I do?
More:
http://support.microsoft.com/kb/274149/
http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1171079,00.html
http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx
http://www.google.com/search?hl=en&lr=&c2coff=1&rls=GGLD,GGLD:2005-37,GGLD:en&q=session+hijack
 
W

wolfing1

Bob said:
Interesting reads thank you. I didn't understand how a malicious user
could 'read' the session variables even if they spoofed the session ID,
unless I am presenting them back which I am not (i.e. from 'checkout'
page I set the server variables, and then do a response.redirect to a
'confirmation' page which pretty much only says 'you sure you want to
place the order for $x ?). Now, if in this confirmation page I showed
the credit card info, then yes I see how it could be unsafe, but
without showing it... I didn't see how someone could get server
variables with a spoofed session ID.
 
B

Bob Barrows [MVP]

Interesting reads thank you. I didn't understand how a malicious user
could 'read' the session variables even if they spoofed the session
ID, unless I am presenting them back which I am not (i.e. from
'checkout' page I set the server variables, and then do a
response.redirect to a 'confirmation' page which pretty much only
says 'you sure you want to place the order for $x ?). Now, if in
this confirmation page I showed the credit card info, then yes I see
how it could be unsafe, but without showing it... I didn't see how
someone could get server variables with a spoofed session ID.

As you say, as long as you are not sending it back to the client, then
you are secure.
That's the motivation of the sites like Paypal, which only display the
last 4 digits when asking the user to confirm/select the credit card
that should be used for a transaction.

If a hacker gains access to your server and plants a file that dumps all
the session variable values, then he can spoof a session and call that
file.
Of course, if that happens you'll have a lot more problems as well ....
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top