-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would love to, if you could show me where that option is located :-). I already checked the extended properties tab of the logging dialog in IIS, and querysting logging is not there. I figured that is where I should start before posting, but no luck, so I need more suggestions. I am using the W3C standard format for logfiles.
Ben Timby Webexcellence PH: 317.423.3548 x23 TF: 800.808.6332 x23 FX: 317.423.8735 [EMAIL PROTECTED] www.webexc.com - -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 7:46 PM To: ActiveServerPages Subject: Re: Sensitive data in URLs, posted from Email - stored in HTTP log in plaintext. Why can't you turn of QueryString logging? Which logging format are you using? (you should be using the w3 extended logging format, not the IIS one) Cheers Ken ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: "Ben Timby" <[EMAIL PROTECTED]> Subject: Sensitive data in URLs, posted from Email - stored in HTTP log in plaintext. : : -----BEGIN PGP SIGNED MESSAGE----- : Hash: SHA1 : : Hello, I work for a company that sends massive amounts of emails. One : of our new features is to include a survey in your email message to : your subscriber base the results are stored on our server for our : customer to download. The forms are POSTed directly from the user's : email client. We use the GET method for our forms as POST does not : work from most email clients. As such, one of our customers wants to : collect payment info from their email survey. We use HTTPS for form : submissions so I know the data is secure during transit, however, : once the form data is sent to our server, it is logged (via the : querystring) into insecure HTTP logs written by IIS. I cannot use : active scripting to encrypt the form data on the URL as most email : clients (correctly) have scripting disabled. Can anyone think of a : creative solution for me? The answer is not to put a link to the : survey, we already do that, I have to have the form in the email, or : a majority of people will not use it. Also, IIS will not allow me to : disable the logging of the querystring, and I really don't want a : process that "cleans" the logs, I would rather the data never be : written. Also, I use the HTTP logs to provide usage stats to my : customer (the email sending co.) so I need to keep them around, I : also archive them, for auditing purposes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - --- You are currently subscribed to activeserverpages as: [EMAIL PROTECTED] To unsubscribe send a blank email to %%email.unsub%% -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPX7ROPnby1cCm2Q8EQIy9wCg83F54ZhOKEJ5LrxzE3xDZ30Mbi8An2iE qztm5YV8eG62mJDzIcOBnuCJ =qZAg -----END PGP SIGNATURE----- --- You are currently subscribed to activeserverpages as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
