aspose file tools*
The moose likes JSP and the fly likes hide email and password on contactus jsp Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "hide email and password on contactus jsp" Watch "hide email and password on contactus jsp" New topic
Author

hide email and password on contactus jsp

Robert Stone
Greenhorn

Joined: Jan 06, 2011
Posts: 25
I have a contactus page on my website and I have to pass a email address and password used to send the email to the server on form submit. I have them in an input type hidden item but it is still displaying on the page if you view source. How can I hide these if someone views my page source?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61241
    
  66

You can't.

You could try something fancy like fetching the values from the server using Ajax after the page loads. That way they values won't appear in the View Source. But they're still on the client and anyone who really wants to find out the values is going to be able to. And if you're not using SSL, the data will also be subject to man-in-the-middle attacks.

Why are you sending the sensitive data to the browser in the first place? If the data is already on the server, why send the sensitive data for a needless round trip around the net?


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Robert Stone
Greenhorn

Joined: Jan 06, 2011
Posts: 25
Well, I am new to web developement and I am not so sure what a better way to do this is. I am using a code example from a tutorial on my webhost's site can you help me figure a better way out. The example code is below:



Robert Stone
Greenhorn

Joined: Jan 06, 2011
Posts: 25
Any help you can be will be greatly appreciated!

Thanks
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61241
    
  66

Oh my.

As a new web devo you should start with good habits and good practices right off the bat. And the number one thing you should do is to never, ever, ever, and did I mention ever, put Java code in a JSP. That's a practice that has been discredited for almost a decade now. Step back and start over. The JSTL (JSP Standard Tag Library) and EL (Expression Language) are the modern means to create dynamic JSP pages.

With regards to your specific problem, either keep the sensitive data on the server or encrypt it for the round trip. Once you send it to the client, the cat is out of the bag.

I find it easiest to simply keep sensitive data in the session for later use.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61241
    
  66

Some article that might help your journey:

The Secret Life of JSPs
The Front Man
Robert Stone
Greenhorn

Joined: Jan 06, 2011
Posts: 25
Thanks so much!
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

The example code is below:




Never mix scriptlets and JSP. You can also use an encoding technique to mangle the data. Of course a smart bot, if it is determined enough can decode it.

Bottom line: If you are not supposed to send something to the browser, dont. If you need to send data and protect it...

1. Password protect your resources
2. Do some fancy things like ajax or encoding (Not fool proof)

SCJP 6 articles - SCJP 5/6 mock exams - More SCJP Mocks
Shashank Ag
Ranch Hand

Joined: Dec 22, 2009
Posts: 88

Well as much as I hate to see such a long scriplet based jsp page, but I still choose to tell you what's solution to your problem.

Simply put these sensetive parameters into HttpSession on previous page. (by session.setAttribute())
Since, session is confined inside memory of JVM the data is secure. On email.jsp page exract the session values.

Also, as it seems looking at code that the auth_pass and auth_address are some parameters you want to protect.
But, hopefully these must be same everytime you are mailing, so you can even put it into web.xml as context parameters and access them in jsps.


SCJP 91%, SCWCD 97%
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61241
    
  66

Shashank Ag wrote:Simply put these sensetive parameters into HttpSession

As has already been suggested.
Robert Stone
Greenhorn

Joined: Jan 06, 2011
Posts: 25
Thanks for all the help everyone! Consider this issue resolved. I should have thought to use a Jave Bean in the first place. Now there is no logic in the jsp at all it is all on the back end where it belongs! Thanks again!

Robert
 
wood burning stoves
 
subject: hide email and password on contactus jsp