RE: IIS log

["Nelson, Ernie" <Ernie.Nelson () wizards com>]

As others have stated and I was reminded earlier today...

IIS logs information that is placed in the query string via an http get.
If a post is used then the information will not be logged.  Generally it
is best in e-commerce applications to do most of your work via posts
since there is less in the users face to fiddle with.

Also if you have to keep some cc info in your database...try to do real
time auth and simply keep a hash of the users cc# or a first 4/last 4
span for auditing or reporting purposes.  That way if your box is ever
compromised you do not have a log or database full of cc#'s.  It also
helps when you do any web based functionality that requires the cc
identity....you aren't passing out their actual, usable number.

> Yes, this is a serious issue.  Tell your web developers to get their
head 
> out of their a $ $  because they've coded a liability that could
destroy 
> the company!

> Big time problem.

> Copy a few lines of the log and past them into a response.


> MAKE SURE YOU MODIFY THE CC NUMBERS!!!!!!!