are server variables secure?

W

wolfing1

I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to page
B? My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and so
is passing info through request.querystring, so I was thinking on using
session variables for this, but not sure if it's safe.
What should I do?
 
W

wolfing1

I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to page
B? My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and so
is passing info through request.querystring, so I was thinking on using
session variables for this, but not sure if it's safe.
What should I do?
Click to expand...
Anything at all?
 
B

Bob Barrows [MVP]

I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to
page B? My boss doesn't want me to store this information in the SQL
database we're using.
Legalities?

Obviously cookies are out of the question and
so is passing info through request.querystring, so I was thinking on
using session variables for this, but not sure if it's safe.
What should I do?
Click to expand...
Really can't add to this:
http://www.velocityreviews.com/forums/t90777-how-secure-are-session-variables.html

More via this search:
http://www.google.com/search?hl=en&...,GGLD:en&q=Are+session+variables+secure?+-php
 
B

Bob Barrows [MVP]

I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to
page B? My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and
so is passing info through request.querystring, so I was thinking on
using session variables for this, but not sure if it's safe.
What should I do?
Click to expand...
More:
http://support.microsoft.com/kb/274149/
http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1171079,00.html
http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx
http://www.google.com/search?hl=en&lr=&c2coff=1&rls=GGLD,GGLD:2005-37,GGLD:en&q=session+hijack
 
W

wolfing1

Bob said:
More:
http://support.microsoft.com/kb/274149/
http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1171079,00.html
http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx
http://www.google.com/search?hl=en&lr=&c2coff=1&rls=GGLD,GGLD:2005-37,GGLD:en&q=session+hijack
Click to expand...
Interesting reads thank you. I didn't understand how a malicious user
could 'read' the session variables even if they spoofed the session ID,
unless I am presenting them back which I am not (i.e. from 'checkout'
page I set the server variables, and then do a response.redirect to a
'confirmation' page which pretty much only says 'you sure you want to
place the order for $x ?). Now, if in this confirmation page I showed
the credit card info, then yes I see how it could be unsafe, but
without showing it... I didn't see how someone could get server
variables with a spoofed session ID.
 
B

Bob Barrows [MVP]

Interesting reads thank you. I didn't understand how a malicious user
could 'read' the session variables even if they spoofed the session
ID, unless I am presenting them back which I am not (i.e. from
'checkout' page I set the server variables, and then do a
response.redirect to a 'confirmation' page which pretty much only
says 'you sure you want to place the order for $x ?). Now, if in
this confirmation page I showed the credit card info, then yes I see
how it could be unsafe, but without showing it... I didn't see how
someone could get server variables with a spoofed session ID.
Click to expand...

As you say, as long as you are not sending it back to the client, then
you are secure.
That's the motivation of the sites like Paypal, which only display the
last 4 digits when asking the user to confirm/select the credit card
that should be used for a transaction.

If a hacker gains access to your server and plants a file that dumps all
the session variable values, then he can spoof a session and call that
file.
Of course, if that happens you'll have a lot more problems as well ....
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Does a e-commence website generally know who the credit card merchant processor is ??? 1
Does a e-commence website generally know who the credit card merchant processor is 0
Only one table shows up with the information 2
How secure are session variables? 6
Secure Page/Reg/Login Process Flow 0
ASP Session, Cookies and SSL 1
ASP Session 4
Post xml data from one page and server to another 1

Members online

No members online now.
Total: 341 (members: 1, guests: 340)
Robots: 136

Forum statistics

Threads
473,968
Messages
2,570,149
Members
46,695
Latest member
StanleyDri

Latest Threads

Top