Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Super Moderator WebGenii's Avatar
    Join Date
    Jan 2001
    Location
    Redcliff, Alberta, Canada
    Posts
    4,066
    Thanks
    2
    Thanked 5 Times in 5 Posts

    hidden values on a form

    Of course, hidden values on a form aren't so hidden if someone views source. And I have some values that I would like to hide.
    I tried directing the form to an asp page that appends my hidden values and then redirects the output to the ultimate destination.
    Unfortunately, it appears that server.execute just generates an error when pointing to an asp file on another site.

    Has anyone tried this before? Any suggestions?
    [b]Catharine Richardson (WebGenii)
    WebGenii Home Page
    Moderator: Spreadsheets, Other MS Apps, Presentation Apps, Visual Basic for Apps, Windows Mobile

  2. #2
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Indianapolis, Indiana, USA
    Posts
    1,862
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: hidden values on a form

    Hi Catherine,

    I use Session variables in ASP to handle hidden things like Username/Passwords and other sensitive fields. There is no (easy) way for any user to find these values.

    One way you could get the variables into Session from a form is to post to an ASP page, then transfer the form variables to session like so:

    Session("Username") = Request.Form("Username")
    Session("Password") = Request.Form("Password")

    Once you've added them to Session, you can access them from any other ASP page as long as the session is still active. Also, you can use Response.Redirect to open different pages (instead of Server.Execute) while still having access to the variables.

    You mentioned trying to use Server.Execute to transfer to another site? Are you trying to pass the variables along with it, or just redirect the user to it? If the former, the only way to do this would be with hidden form variables or querystring. If the later, use Response.Redirect.

    Hope this helps!
    FYI: Consult W3Schools for more ASP-related details...

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: hidden values on a form

    I think Mark's approach is best, and easiest, but if you are only trying to foil lazy people, you can use an included JavaScript file to insert the values. How can you generate a JavaScript include file dynamically? ASP!

    Now, where is my <img src=/w3timages/censored.gif alt=censored border=0> post on this? It was from April 2002, when I posted a prank on our web site. (Long story.) Oh well, never mind. It's way too hard to reconstruct how it did it given the attractive alternative. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

  4. #4
    Super Moderator WebGenii's Avatar
    Join Date
    Jan 2001
    Location
    Redcliff, Alberta, Canada
    Posts
    4,066
    Thanks
    2
    Thanked 5 Times in 5 Posts

    Re: hidden values on a form

    You can see I've been taking my time thinking about your response <img src=/S/grin.gif border=0 alt=grin width=15 height=15>.
    You asked "You mentioned trying to use Server.Execute to transfer to another site? Are you trying to pass the variables along with it, or just redirect the user to it? If the former, the only way to do this would be with hidden form variables or querystring. If the later, use Response.Redirect"

    Yes, I'm trying to pass the variables along to the other site, keeping them hidden from the user. Hidden form variables are available to anyone who examines the original form's code. I am not familiar with querystring. Does this require the variables to be initialized as Session variables?

    Cheers
    [b]Catharine Richardson (WebGenii)
    WebGenii Home Page
    Moderator: Spreadsheets, Other MS Apps, Presentation Apps, Visual Basic for Apps, Windows Mobile

  5. #5
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: hidden values on a form

    To risk answering a question I shouldn't pretend to understand, I believe QueryString is everything after the ? in the URL sent to an ASP page when a browser has submitted a form using the GET method. If you are using the POST method, the QueryString probably is irrelevant. (I assume it would be blank, but don't quote me on it. <img src=/S/grin.gif border=0 alt=grin width=15 height=15> )

  6. #6
    Super Moderator WebGenii's Avatar
    Join Date
    Jan 2001
    Location
    Redcliff, Alberta, Canada
    Posts
    4,066
    Thanks
    2
    Thanked 5 Times in 5 Posts

    Re: hidden values on a form

    Well I've been reading up since I posted that question and I've found:
    That Server.Execute and Server.Transfer will only accept local urls as variables. That is you can't use them to launch an ASP file on another server. (Darn!)
    That Request.QueryString is used to process forms with the "GET" method. However it handles everything in clear text and is visible in the address bar. Since I wanted to use this to keep information hidden, this doesn't seem satisfactory either.

    So I'm hoping Mark will chime in with some fabulous solution <img src=/S/grin.gif border=0 alt=grin width=15 height=15>!
    [b]Catharine Richardson (WebGenii)
    WebGenii Home Page
    Moderator: Spreadsheets, Other MS Apps, Presentation Apps, Visual Basic for Apps, Windows Mobile

  7. #7
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Indianapolis, Indiana, USA
    Posts
    1,862
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: hidden values on a form

    Hi Catherine,

    Sorry for the delayed response. Your most recent post gave me an idea... I think I'm getting a better idea of what you're trying to do, but let me lay it out to be sure I understand: Collect input on Site A, Post input to Site B securely. Is this correct? Do you have full control of both sites?

    I have two ideas and both center around a simple concept: Encryption.

    Idea 1: Use encrypted QueryString to pass the information (assuming it's fairly short). This would create something that looks like: YourPage.asp?item1=HTb6bD5UqdPz4kvve1HltA==&item2= 9exigHbNRvEZDLNfPNqs9SF93pexY8MhmozR2nJQISM=. That is a querystring passing two variables (item1 and item2), using MD5 encryption with a specific encryption key that's only known within my department. The likelyhood of anyone breaking that is pretty low.

    Idea 2: Use the encryption with hidden form variables. This is similar to the original idea you had, except it would involve encryption. Therefore the values would not be easily read by prying eyes.

    You can find a host of articles on using Encryption through Google. One in particular is from 4GuysFromRolla.com.

    The biggest variable here is whether YOU can control the functionality on both sites. If Site B is out of your control, you're pretty much stuck with whatever input method is required by that site.

    Give this a look and let me know if you have any questions. <img src=/S/thumbup.gif border=0 alt=thumbup width=15 height=15>

  8. #8
    Super Moderator WebGenii's Avatar
    Join Date
    Jan 2001
    Location
    Redcliff, Alberta, Canada
    Posts
    4,066
    Thanks
    2
    Thanked 5 Times in 5 Posts

    Re: hidden values on a form

    Site B is out of my control. When you mention the input method required by the site - are you referring to POST or GET? If so, I know it is POST.

    Cheers
    [b]Catharine Richardson (WebGenii)
    WebGenii Home Page
    Moderator: Spreadsheets, Other MS Apps, Presentation Apps, Visual Basic for Apps, Windows Mobile

  9. #9
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Indianapolis, Indiana, USA
    Posts
    1,862
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: hidden values on a form

    Ahh - This clears things up a bit. Since Site B is out of your control, that means they should have a specific format (i.e. item names) and method (you already mentioned POST) for the submission.

    You can generate a dynamic page with all necessary hidden form values populated via server-side logic. Set the body's onLoad event to fire a method that submits the page to the desired Site B. This would look something like this:<pre><html>
    <head>
    <script type="text/javascript">
    function submitMe()
    {
    document.myForm.submit();
    }
    </script>
    <body onload="submitMe()">
    <form id="myForm" name="myForm" method="POST" action="http://YourSite.com/YourPage.asp">
    <input type="hidden" name="item1" id="item1" value="<%=item1Value%>">
    <input type="hidden" name="item2" id="item2" value="<%=item2Value%>">
    <form>
    </body>
    </html></pre>

    This will automatically submit the page to Site B when it loads. The only way anyone can see the values is if they can press the STOP button on their browsers at the instant that the page loads.

    At this point (and with the current amount of information I have), this seems like one of the best solutions.

  10. #10
    Super Moderator WebGenii's Avatar
    Join Date
    Jan 2001
    Location
    Redcliff, Alberta, Canada
    Posts
    4,066
    Thanks
    2
    Thanked 5 Times in 5 Posts

    Re: hidden values on a form

    So this would avoid the use of the session variables etc we were discussing before? or would I use them to append the values the user has entered?

    I haven't quite grasped the sequence of events here...

    --------------
    Now I'm getting a new error message "HTTP POST transactions are not allowed for this HTTP Referrer." So I assume to Site B it appears that the form info is coming from my local computer, rather than Site A.
    [b]Catharine Richardson (WebGenii)
    WebGenii Home Page
    Moderator: Spreadsheets, Other MS Apps, Presentation Apps, Visual Basic for Apps, Windows Mobile

  11. #11
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Indianapolis, Indiana, USA
    Posts
    1,862
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: hidden values on a form

    You can use session variables all you want on *your* end (Site A), but you won't be able to actually pass them to the remote site (Site [img]/forums/images/smilies/cool.gif[/img].

    Here's a basic sequence, based on what I know from this point:

    Site A:
    - Collect user input with form (page1.asp/htm)
    - Process results of form (page2.asp)
    - Output results to "transferring page", as described in the post above (page3.asp)
    - Transferring page automatically submits results to Site B

    Site B:
    - Doesn't really matter, since it's out of your hands - as long as the input meets requirements <img src=/S/shrug.gif border=0 alt=shrug width=39 height=15>

    Can you provide any more details about what you're trying to accomplish? Or is it hush-hush?

  12. #12
    Super Moderator WebGenii's Avatar
    Join Date
    Jan 2001
    Location
    Redcliff, Alberta, Canada
    Posts
    4,066
    Thanks
    2
    Thanked 5 Times in 5 Posts

    Re: hidden values on a form

    I probably should tell you what I've got so far, instead of testing your psychic abilities!
    The user form action connects to an ASP page on Site A. I'll call it onlinereg.asp for simplicity.
    Inside onlinereg.asp is the following (much pared down):
    <pre><% Session("secureID")= "XXXX" %>

    <% Session("username")=request.Form("username")%>
    <% Session("address")=request.Form("address")%>

    <% response.Redirect("https://SiteB.com/file.asp") %>
    </pre>


    I'm getting to SiteB alright - but it seems that they can't see the secureID being offered. Now, normally the secureID would be a hidden field in a posted form. So does this mean that the session object doesn't offer the information in a way SiteB can see? They suggest in their documentation using ServerSide code to protect the secureID - but unfortunately provide no examples.

    I do appreciate your thoughts on this.
    [b]Catharine Richardson (WebGenii)
    WebGenii Home Page
    Moderator: Spreadsheets, Other MS Apps, Presentation Apps, Visual Basic for Apps, Windows Mobile

  13. #13
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Indianapolis, Indiana, USA
    Posts
    1,862
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: hidden values on a form

    Can you confirm that the second site is receiving the Username and Address values (from Session)?

    As far as I know, you can not actually pass Session values from one server to another. Session state (in the pure, default sense) remains within a single server's memory and can not be passed to another machine and certainly not across domains.

    Also, is the secureID already encoded/encrypted? If so, it should not hurt to place it in a hidden form variable. Even if users happen to see it, they won't be able to do anything if it's not "human readable."

    When I used to work with Classic ASP, I quickly learned that there was no easy way to post form variables from one server-side page to another. The workaround I eventually learned to use is what I described in the previous several posts.

    Another suggestion is to do whatever it takes to make it work correctly - just to know that you can do it. Then, apply security measures as needed. Perhaps others will disagree with this approach. It seems to work well enough for me, especially when I'm totally stuck on one challenge.

  14. #14
    Super Moderator WebGenii's Avatar
    Join Date
    Jan 2001
    Location
    Redcliff, Alberta, Canada
    Posts
    4,066
    Thanks
    2
    Thanked 5 Times in 5 Posts

    Re: hidden values on a form

    Can you confirm that the second site is receiving the Username and Address values (from Session)?
    No, not until I can get in with the SecureID. The ID is not encrypted which is what launched this whole darn thing in the first place....

    So, if Session values can't be transferred - what can?

    I'm willing to be flexible in what I try - I'm looking at this as a learning experience as much as anything else!
    [b]Catharine Richardson (WebGenii)
    WebGenii Home Page
    Moderator: Spreadsheets, Other MS Apps, Presentation Apps, Visual Basic for Apps, Windows Mobile

  15. #15
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Indianapolis, Indiana, USA
    Posts
    1,862
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: hidden values on a form

    You're pretty much stuck with (hidden) Form variables or Querystring (which as already been determined to be insecure).

    You might also take a look at the way online vendors communicate with their merchant (credit-card) accounts. I'm sure there's a standard for sending transactionID, vendorID, and amount to be collected from the vendor to the merchant in a relatively secure fashion. It would be much easier to reuse someone else's proven method than trying to reinvent the wheel...

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •