Sure man... submit to the same form but in a secure way...

<form action="https://<%=request.ServerVariables("SCRIPT_NAME")%>"
method="POST">

That should work for ya.

Cheers,

Colin MacKenzie

-----Original Message-----
From: marko rangel [mailto:spider@c...]
Sent: Monday, January 06, 2003 2:26 PM
To: Security_asp
Subject: [security_asp] Redirecting from insecure to secure

Hello,

I have an app on an insecure server that redirects a user (via a VB COM
object) to a secure server.  The only data that is transfered between the
server is a user id that is passed on the querystring.

The code for the transfer is not very complicated.  Basically when the
user submits a form [form that posts to itself], and all the checks pass
we do a simple redirect:

.
. 'do pocessing here
.
response.clear
response.redirect "https://www.yourdomain.com/somedir/landingpage.asp?id="
& session("id")
response.end
.
.
.

The problem lies here:  We've notice that some of the users that are being
tranfered are not carrying over the querystring.  We do a simple test of
checking if the querystring is present (checking the length or the
querystring variable and seeing if the querystring variable exists) and
writing to a log if it isn't.

We've noticed that 1 out of 20 or so users experience this problem and I
think it may have to do with a proxy or browser set up.

Any ideas?

Marko