Why can't you turn of QueryString logging? Which logging format are you using? (you should be using the w3 extended logging format, not the IIS one)
Cheers Ken ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: "Ben Timby" <[EMAIL PROTECTED]> Subject: Sensitive data in URLs, posted from Email - stored in HTTP log in plaintext. : : -----BEGIN PGP SIGNED MESSAGE----- : Hash: SHA1 : : Hello, I work for a company that sends massive amounts of emails. One : of our new features is to include a survey in your email message to : your subscriber base the results are stored on our server for our : customer to download. The forms are POSTed directly from the user's : email client. We use the GET method for our forms as POST does not : work from most email clients. As such, one of our customers wants to : collect payment info from their email survey. We use HTTPS for form : submissions so I know the data is secure during transit, however, : once the form data is sent to our server, it is logged (via the : querystring) into insecure HTTP logs written by IIS. I cannot use : active scripting to encrypt the form data on the URL as most email : clients (correctly) have scripting disabled. Can anyone think of a : creative solution for me? The answer is not to put a link to the : survey, we already do that, I have to have the form in the email, or : a majority of people will not use it. Also, IIS will not allow me to : disable the logging of the querystring, and I really don't want a : process that "cleans" the logs, I would rather the data never be : written. Also, I use the HTTP logs to provide usage stats to my : customer (the email sending co.) so I need to keep them around, I : also archive them, for auditing purposes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- You are currently subscribed to activeserverpages as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
