response.redirect with hidden sensitive info

[RussellDonders]

Hi,

Ok I need to integrate our system with a third party CGI script. I have collected all the info I need on our side and put it into a DB etc and have all the variables to send. Everything is working fine EXCEPT the user can see our reseller ID and password in the QueryString being sent with the URL. I am currently using response.redirect to send everything across. Does anyone know how I can stop the sensitive info from being displayed in the URL ?

I have a 2nd question that's a bit more difficult. The third party script after processing our requests sends a confirmation (or error) message to the browser (ie a standard html page displays in the browser). I need to be able to collect this info in my script and process this at my end - rather than having the user see this in the browser on the 3rd party server my script would ultimately receive and parse the text and perform specified actions. Is there any way that when I am calling the script that I can specify that I want the data returned to my script rather than to the browser ? I understand that this would be a LOT easier if I had control over the third party script - but I don't. Any ideas around this would be appreciated.

Thank You very much.

Russell

 

[Renzy]

HI,

With that 1st problem of yours I think no 'coz querystring can always be seen in the address bar.Why not use session variables, that's the only way it cant be seen in the browser.

In your 2nd problem, try to evaluate what's the filename of the page that confirms so that you can manipulate it...if the third party scripts includes pages examine those, one of them is the page that the server calls to confirm. Be clever enough third party script seems to use unknown pages based from the browser URL's filename but actually there not.

Hope this would help.

 

[fhlee]

Hi,
Assumption: You have absolutely no control over the 3rd Party CGI Script.

>>> Everything is working fine EXCEPT the user can see our reseller ID and password in the QueryString being sent with the URL. I am currently using response.redirect to send everything across. Does anyone know how I can stop the sensitive info from being displayed in the URL ?
*** I assume that the 3rd Party script is smart enough to figure that if they need the ID/Password combination, they will accept a FORM POST instead of a FORM GET method. In this case, the page you use to "pump" the data over, create a page with all the fields hidden and issue an immediate form.submit() (client-side script). This should hide it from most users.


>>> I have a 2nd question that's a bit more difficult. ... snipped...
*** The answer is no. Once you pass control of the session over to a separate domain/script, your source program will loose control and ends its state. Thus, when the 3rd Party script calls another prog, you will not be aware of this. Some may suggests that you open a separate hidden window for this purpose and use the DOM to read the data, but bear in mind that unless the 3rd Part script is running on the same domain, the DOM's (Document Object Model) Security model forbids access of the BODY content from a script of another site (to prevent content stealing).

regards,
- Joseph
=================== ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Visit -->

http://www.replicaSi.com

for (Replica) Watches, Pen, Handbags, Hats, Jerseys and more ... at prices that makes your code spin ...
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-