Classic ASP form post with sensitive fields

helping my friend with his old ASP site and ran into an issue so I wanted to throw this out to see if i can get some help.

The site basically needs to POST data to another page which it's doing fine. The problem is that it's needs to POST the username/password to the receiving page and the site is currently holding that in hidden fields which is obviously no good since you can see it in the source code.

How can you pull the data in on the ASP page without having it hidden in an input field? I know it can get stored as a variable but then I can't POST it and if I put that variable in an input value field it shows up in开发者_Python百科 the source.

Any help would be appreciated.

Thanks!

it needs to POST the username/password to the receiving page

No it doesn't. :)

If the two pages are part of the same site, use the Session object.

If the two pages are on different sites, things are trickier, but the idea is similar. I'm guessing this isn't the case for you, but if it is, look at OAuth. (For example, when you log in here, you use authentication from another site, but stackoverflow never sees your password for that site. Same idea.)

Create a database table that looks like

 uniqueidentifier   SessionId
 varchar            Username
 varchar            Password

Store the SessionId in the cookie with Response.Cookies.

Get the SessionId from the cookie in JavaScript, and send an ajax request to a page that gets the username and password from the database using the SessionId and outputs the values in JSON. Attach the values with javascript to a hidden field. You will still appear to be getting a value from the hidden field on the page that receives the form post, but if a user views the page source it would just say something like <input type="hidden" id="username" name="username" value="DefaultUserNameValue" />. The value will be assigned dynamically using javascript, which is not visible to the User.