I currently pass a value from an ASP form (form1) on domain 1 to an ASP form (form2) on domain 2 using POST method and a hidden field on the form. If the user selects View, Source they can see the value in the hidden field. Is there a way to pass the value without the user being able to see it on screen, in the querystring or in source? I cannot encrypt/decrypt the value as I do not have control of the value on domain 1.

Hmmm interesting. I know in .NET if i use an HTML Hidden control, run it as a server control and set its visiblity to false, it is not displayed in code but I am still able to access the value.

You may be able to achieve this with javascript, though you make the assumption that all of your users are going to have javascript enabled.

-------------------------
I will only tell you how to do it, not do it for you.
Unless, of course, you want to hire me to do work for you.

^^Thats my signature

How do you mean that you do not have control of the value in domain 1? Do you mean that you do not have access to the code in the first ASP page? If you aren't in control of what is contained in the first then, like you say, you can't encrypt the value. What alterative is there? Javascript can't modify the original soucre - I can't see how that would work even if the browser has javascript enabled. You could invent other schemes for doing this - for example, if both domains have access to the same database you could store this state information in a database and retrieve it as needed based on some other data in the request.

Why do you want to prohibit the users from seeing this value? If the people in charge of domain 1 are not trying to prevent users from seeing this value, why do you have to deal with it?

Woody Z http://www.learntoprogramnow.com

He never said he didn't have access to the source, he just said that he didnt have access to the value which can be for a myraid of reasons, e.g. it's a third party component that pulls the value into the hidden field that he must pass along to the second domain. As far as javascript goes you can do:

document.location.href='page.asp?id=' + value;

As long as this was wired to a button click that would redirect the user to get the value of a form field in javascript is rudimentary.

However, anytime you cross application domains there are always caveats that come up.

-------------------------
I will only tell you how to do it, not do it for you.
Unless, of course, you want to hire me to do work for you.

^^Thats my signature

Perhaps. But using the value as a querystring parameter is exacly what he states he does not want to do.
The point is, if access to the source is available, then why not encrypt the value. There must be some explaination as to why "access to the value" is not available. Regardless of where the value comes from (for example - a "thirg party compontent") if it is being used in code to create the HTML response, it is therefore available to be encrypted. And thus, my question remains: What is meant by "do not have control of the value in domain 1"???



Woody Z http://www.learntoprogramnow.com

True but, if for some reason, the business rules state the value can not be encrypted the developer is bound to those rules. I take the question at face value.

-------------------------
I will only tell you how to do it, not do it for you.
Unless, of course, you want to hire me to do work for you.

^^Thats my signature

 Right. I don't take anything at face value - I am questioning the real need so we can come to a solution. The requirement relaytest49 is describing seems to have a contradiction. Your solution does not meet the need that is described, which is to "pass the value without the user being able to see it on screen, in the qeurystring or in source." Your solution places it in the querystring.

However, since relaytest49 doesn't seem to be interested in clarifying his/her post, there isn't much use in us discussing it.
Woody Z http://www.learntoprogramnow.com