-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I checked again, are you referring to the "URI Query" field? I am not familiar w/ that name... I guess that must be it eh?
Ben Timby Webexcellence PH: 317.423.3548 x23 TF: 800.808.6332 x23 FX: 317.423.8735 [EMAIL PROTECTED] www.webexc.com - -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 7:46 PM To: ActiveServerPages Subject: Re: Sensitive data in URLs, posted from Email - stored in HTTP log in plaintext. Why can't you turn of QueryString logging? Which logging format are you using? (you should be using the w3 extended logging format, not the IIS one) Cheers Ken ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: "Ben Timby" <[EMAIL PROTECTED]> Subject: Sensitive data in URLs, posted from Email - stored in HTTP log in plaintext. : : -----BEGIN PGP SIGNED MESSAGE----- : Hash: SHA1 : : Hello, I work for a company that sends massive amounts of emails. One : of our new features is to include a survey in your email message to : your subscriber base the results are stored on our server for our : customer to download. The forms are POSTed directly from the user's : email client. We use the GET method for our forms as POST does not : work from most email clients. As such, one of our customers wants to : collect payment info from their email survey. We use HTTPS for form : submissions so I know the data is secure during transit, however, : once the form data is sent to our server, it is logged (via the : querystring) into insecure HTTP logs written by IIS. I cannot use : active scripting to encrypt the form data on the URL as most email : clients (correctly) have scripting disabled. Can anyone think of a : creative solution for me? The answer is not to put a link to the : survey, we already do that, I have to have the form in the email, or : a majority of people will not use it. Also, IIS will not allow me to : disable the logging of the querystring, and I really don't want a : process that "cleans" the logs, I would rather the data never be : written. Also, I use the HTTP logs to provide usage stats to my : customer (the email sending co.) so I need to keep them around, I : also archive them, for auditing purposes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - --- You are currently subscribed to activeserverpages as: [EMAIL PROTECTED] To unsubscribe send a blank email to %%email.unsub%% -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPX7Rpfnby1cCm2Q8EQJPcgCg+nrDB9iNS0nCcAPQBgnt4W7DntsAoO5x ose03RRI73paNzaj6KfhL5U9 =ullS -----END PGP SIGNATURE----- --- You are currently subscribed to activeserverpages as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
