Question

Need to submit some CC data from the View to the Controller where it will be processed, can I just POST it or is there some common way of securing the data in transit?

Was it helpful?

Solution

OTHER TIPS

Posting with SSL like Rex M mentioned is definitely the first step. You should probably make the page where they are typing their credit card number SSL as well. This will give your users the green URL of comfort.

You should also include protection against CSRF attacks. Use the anti-forgery token.

Also, you should use the PRG (Post, Redirect, Get) pattern to make sure that the credit card numbers aren't submitted twice. After the post, don't just render a different view, send a redirect so their browser does a GET against another URL - probably your confirmation page.

You'll run into a few ASP.NET MVC specific things:

  1. If you have some http pages and some https pages, how will you code the links to the https pages from the http pages. You can hard code them, but you'll have to hard code the domain and protocol. You can't just use <%= Html.ActionLink(... see this SO question for more details.

  2. You'll want to make sure you can't hit your controllers when you are not using SSL. This will help you catch any errors, and ensure that no one uses http instead of https. See the [RequireSsl] attribute in the futures assembly. Here's a blog post about it from Adam Salvo

I haven't read about the implementation of the ASP.net-MVC. However, i believe that you have mixed up the terminology.

The MVC Pattern would be evaluated on the server end. [So there is little need to do security checks between the components (unless they are exposed outside the program)]

I believe that many people get the impression that you are talking about HTTP POSTS after a form submission (as opposed to HTTP GETs)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top