I have a contactus page on my website and I have to pass a email address and password used to send the email to the server on form submit. I have them in an input type hidden item but it is still displaying on the page if you view source. How can I hide these if someone views my page source?
You could try something fancy like fetching the values from the server using Ajax after the page loads. That way they values won't appear in the View Source. But they're still on the client and anyone who really wants to find out the values is going to be able to. And if you're not using SSL, the data will also be subject to man-in-the-middle attacks.
Why are you sending the sensitive data to the browser in the first place? If the data is already on the server, why send the sensitive data for a needless round trip around the net?
Well, I am new to web developement and I am not so sure what a better way to do this is. I am using a code example from a tutorial on my webhost's site can you help me figure a better way out. The example code is below:
As a new web devo you should start with good habits and good practices right off the bat. And the number one thing you should do is to never, ever, ever, and did I mention ever, put Java code in a JSP. That's a practice that has been discredited for almost a decade now. Step back and start over. The JSTL (JSP Standard Tag Library) and EL (Expression Language) are the modern means to create dynamic JSP pages.
With regards to your specific problem, either keep the sensitive data on the server or encrypt it for the round trip. Once you send it to the client, the cat is out of the bag.
I find it easiest to simply keep sensitive data in the session for later use.
Well as much as I hate to see such a long scriplet based jsp page, but I still choose to tell you what's solution to your problem.
Simply put these sensetive parameters into HttpSession on previous page. (by session.setAttribute())
Since, session is confined inside memory of JVM the data is secure. On email.jsp page exract the session values.
Also, as it seems looking at code that the auth_pass and auth_address are some parameters you want to protect.
But, hopefully these must be same everytime you are mailing, so you can even put it into web.xml as context parameters and access them in jsps.
Shashank Ag wrote:Simply put these sensetive parameters into HttpSession
As has already been suggested.
Joined: Jan 06, 2011
Thanks for all the help everyone! Consider this issue resolved. I should have thought to use a Jave Bean in the first place. Now there is no logic in the jsp at all it is all on the back end where it belongs! Thanks again!