Passing fields from one page to another

[Patrick]

I have two ASP pages
payment.asp:
For customers to fill in payment/card details (pre-populating details if
details submitted were invalid and user had to re-fill in details)

confirmorder.asp:
Display the credit card details in hidden fields and also the order details
from Database

My question is
1) If payment.asp submit to confirmorder.asp, then
1.1) I could get confirmorder.asp to display card details in hidden fields
BUT
1.2) But if card details are invalid how could I return user to payment.asp
with card details prepopulated??
1.2.1) If I Response.Redirect, nothing would be pre-popualting (unless I put
in details in Query string, which is not what I wanted for security reasons)

2) If payment.asp submit to payment.asp then
2.1) I could get page to pre-populate details on payment.asp if card details
are invalid BUT
2.2) How could I direct user to confirmorder.asp back to payment.asp with
details pre-populated
1.2.2) If I Response.Redirect, hidden fields cannot be populated by reading
in Request.form!

 

[Patrick]

I would try to avoid using Session, but if I were to use Session, would
Session data be held in the server's memory/RAM?

 

[caulker]

for confidential information (credit cards)...
don't use hidden fields.
dont' use querystring.
use session or a db, it stays on the server, does not get passed to the
client.

also when you redirect back to the first page, you can simply repopulate all
the necessary data fields.

 

[Patrick]

Is stuffed stored in a Session *completely* uncompromisable/unhackable (even
for someone with [admin] access to the server)? (A IIS5.0 Server on Win2K
Pro SP4)?

 

[Bob Barrows [MVP]]

In that scenario, nothing is completely secure.

Is stuffed stored in a Session *completely*
uncompromisable/unhackable (even for someone with [admin] access to
the server)? (A IIS5.0 Server on Win2K Pro SP4)?

for confidential information (credit cards)...
don't use hidden fields.
dont' use querystring.
use session or a db, it stays on the server, does not get passed to
the client.

also when you redirect back to the first page, you can simply
repopulate all the necessary data fields.

 

[Patrick]

But is it true that
1) Session data is held in the Server's Memory/RAM (as opposed to
hard-disk)?
2) Each HTTP client would has its own session data (so a client cannot
access session data of another HTTP client)
3) Each Internet Explorer Window would share the same session (unless the
client start a new instance of IE for each window), so session data would
get corrupted
4) If I do a Session.Contents.RemoveAll(), I am only removing session data
for that particular HTTP client (and not all clients).

(Short of using some low-level tools to access the server's memory, can data
held in the Session be easily hackable, or at least as easily as selecting
records from a SQL Server database?)

In that scenario, nothing is completely secure.

Is stuffed stored in a Session *completely*
uncompromisable/unhackable (even for someone with [admin] access to
the server)? (A IIS5.0 Server on Win2K Pro SP4)?

for confidential information (credit cards)...
don't use hidden fields.
dont' use querystring.
use session or a db, it stays on the server, does not get passed to
the client.

also when you redirect back to the first page, you can simply
repopulate all the necessary data fields.


I would try to avoid using Session, but if I were to use Session,
would Session data be held in the server's memory/RAM?

I have two ASP pages
payment.asp:
For customers to fill in payment/card details (pre-populating
details if details submitted were invalid and user had to re-fill
in details)

confirmorder.asp:
Display the credit card details in hidden fields and also the
order details from Database

My question is
1) If payment.asp submit to confirmorder.asp, then
1.1) I could get confirmorder.asp to display card details in hidden
fields
BUT
1.2) But if card details are invalid how could I return user to
payment.asp with card details prepopulated??
1.2.1) If I Response.Redirect, nothing would be pre-popualting
(unless I put in details in Query string, which is not what I
wanted for security reasons)

2) If payment.asp submit to payment.asp then
2.1) I could get page to pre-populate details on payment.asp if
card details are invalid BUT
2.2) How could I direct user to confirmorder.asp back to
payment.asp with details pre-populated
1.2.2) If I Response.Redirect, hidden fields cannot be populated
by reading in Request.form!

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

 

[Bob Barrows [MVP]]

But is it true that
1) Session data is held in the Server's Memory/RAM (as opposed to
hard-disk)?

Yes, unless RAM runs out and the system has to start paging to disk.

2) Each HTTP client would has its own session data (so a client cannot
access session data of another HTTP client)

Yes. But there are spoofing exploits that you should research and be
prepared for.

3) Each Internet Explorer Window would share the same session (unless
the client start a new instance of IE for each window), so session
data would get corrupted

Unless the window is opened by code in the page, each window opened by a
user will have its own session.

4) If I do a Session.Contents.RemoveAll(), I am only removing session
data for that particular HTTP client (and not all clients).
Yes..


(Short of using some low-level tools to access the server's memory,
can data held in the Session be easily hackable, or at least as
easily as selecting records from a SQL Server database?)

No. Low-level tools are required. Transmission of confidential data should
of course be done via SSL.

http://msdn.microsoft.com/library/en-us/iissdk/iis/aspsecuritychecklist.asp

http://msdn.microsoft.com/library/en-us/iissdk/iis/managingsessions.asp

http://www.aspfaq.com/show.asp?id=2053

Bob Barrows

In that scenario, nothing is completely secure.

Is stuffed stored in a Session *completely*
uncompromisable/unhackable (even for someone with [admin] access to
the server)? (A IIS5.0 Server on Win2K Pro SP4)?

for confidential information (credit cards)...
don't use hidden fields.
dont' use querystring.
use session or a db, it stays on the server, does not get passed to
the client.

also when you redirect back to the first page, you can simply
repopulate all the necessary data fields.


I would try to avoid using Session, but if I were to use Session,
would Session data be held in the server's memory/RAM?

I have two ASP pages
payment.asp:
For customers to fill in payment/card details (pre-populating
details if details submitted were invalid and user had to re-fill
in details)

confirmorder.asp:
Display the credit card details in hidden fields and also the
order details from Database

My question is
1) If payment.asp submit to confirmorder.asp, then
1.1) I could get confirmorder.asp to display card details in
hidden fields
BUT
1.2) But if card details are invalid how could I return user to
payment.asp with card details prepopulated??
1.2.1) If I Response.Redirect, nothing would be pre-popualting
(unless I put in details in Query string, which is not what I
wanted for security reasons)

2) If payment.asp submit to payment.asp then
2.1) I could get page to pre-populate details on payment.asp if
card details are invalid BUT
2.2) How could I direct user to confirmorder.asp back to
payment.asp with details pre-populated
1.2.2) If I Response.Redirect, hidden fields cannot be populated
by reading in Request.form!

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so
I don't check it very often. If you must reply off-line, then remove
the "NO SPAM"

 

[Patrick]

Why shouldn't secure data be stored in hidden fields on webpages when user
move from one page to another?

But is it true that
1) Session data is held in the Server's Memory/RAM (as opposed to
hard-disk)?

Yes, unless RAM runs out and the system has to start paging to disk.

2) Each HTTP client would has its own session data (so a client cannot
access session data of another HTTP client)

Yes. But there are spoofing exploits that you should research and be
prepared for.

3) Each Internet Explorer Window would share the same session (unless
the client start a new instance of IE for each window), so session
data would get corrupted

Unless the window is opened by code in the page, each window opened by a
user will have its own session.

4) If I do a Session.Contents.RemoveAll(), I am only removing session
data for that particular HTTP client (and not all clients).
Yes..


(Short of using some low-level tools to access the server's memory,
can data held in the Session be easily hackable, or at least as
easily as selecting records from a SQL Server database?)

No. Low-level tools are required. Transmission of confidential data should
of course be done via SSL.

http://msdn.microsoft.com/library/en-us/iissdk/iis/aspsecuritychecklist.asp

http://msdn.microsoft.com/library/en-us/iissdk/iis/managingsessions.asp

http://www.aspfaq.com/show.asp?id=2053

Bob Barrows

In that scenario, nothing is completely secure.

Patrick wrote:
Is stuffed stored in a Session *completely*
uncompromisable/unhackable (even for someone with [admin] access to
the server)? (A IIS5.0 Server on Win2K Pro SP4)?

for confidential information (credit cards)...
don't use hidden fields.
dont' use querystring.
use session or a db, it stays on the server, does not get passed to
the client.

also when you redirect back to the first page, you can simply
repopulate all the necessary data fields.


I would try to avoid using Session, but if I were to use Session,
would Session data be held in the server's memory/RAM?

I have two ASP pages
payment.asp:
For customers to fill in payment/card details (pre-populating
details if details submitted were invalid and user had to re-fill
in details)

confirmorder.asp:
Display the credit card details in hidden fields and also the
order details from Database

My question is
1) If payment.asp submit to confirmorder.asp, then
1.1) I could get confirmorder.asp to display card details in
hidden fields
BUT
1.2) But if card details are invalid how could I return user to
payment.asp with card details prepopulated??
1.2.1) If I Response.Redirect, nothing would be pre-popualting
(unless I put in details in Query string, which is not what I
wanted for security reasons)

2) If payment.asp submit to payment.asp then
2.1) I could get page to pre-populate details on payment.asp if
card details are invalid BUT
2.2) How could I direct user to confirmorder.asp back to
payment.asp with details pre-populated
1.2.2) If I Response.Redirect, hidden fields cannot be populated
by reading in Request.form!

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so
I don't check it very often. If you must reply off-line, then remove
the "NO SPAM"

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

 

[Bob Barrows [MVP]]

Silly. Create a page with a hidden field. Set the field's value to some text
and load the page in your browser. Click View|Source

Bob Barrows

 

[Patrick]

So, a customer could "hack" their own credit card number, is that an issue?

Also in payment.asp, if invalid card details are entered, the user would be
taken back to the same page with card details pre-populated (for
corrections) anyway.

Also, the card number, Security number could be RC4 encrypted in the hidden
fields

 

[Bob Barrows [MVP]]

No, a customer hacking his own number is not an issue. However, unless ssl
is used, this data is sent to the browser in clear text, making it
vulnerable to network sniffers. Also, pages are cached in the client,
allowing somebody with physical access to the machine to read the source
from the cache.

As for encryption, this could be an option, at the cost of adding extra
complexity.

You've reached the limit of my experience with security issues. Unless
someone else jumps in here, You may want to direct further questions to one
of the security newsgroups.

Bob Barrows

 

[Stephanie Stowe]

Why shouldn't secure data be stored in hidden fields on webpages when user
move from one page to another?

Because hidden fields are revealed by a simple View Source in the browser.

 

[Stephanie Stowe]

Pages are sometimes cached locally. People sometimes walk away from public
computers without logging off the site (doh).

Help protect your customers and they will love (or at least not hate) you
for it.