Security issues with sending back sensitive info after failed form submission

Question

I have a ASP.NET Core application where I have to collect a handful of information about an applicant. One of the fields is SSN.

I have a GET action in my controller that displays the fields of the form. It looks like this:

[HttpGet]
[Route("~/applicant/")]
public IActionResult Applicant(int id, Guid guid)
{
    var model = CreateEmptyViewModel();
    return View(model);
}

I then have a POST action in my controller that checks if the form submission is valid and moves on or reloads the form accordingly.

[HttpPost]
[Route("~/post-applicant")]
public IActionResult PostApplicant(MyViewModel model)
{
    if (model == null) throw new ArgumentNullException(nameof(model));

    if (ModelState.IsValid)
    {
        // code that moves on
    }
    else
    {
        TempData["Error"] = "The form is incomplete or corrections are needed.";
        return View(nameof(Applicant), model); // reloads form with fields filled out
    }
}

My view model looks like this:

public class MyViewModel
{
    public string FirstName { get; set; }
    public string LastName { get; set; }
    public string SSN { get; set; }
}

All properties in MyViewModel are required. If the user decides to supply SSN but not first name, the form submission will fail and the form will be reloaded.

Are there any security related ramifications for reloading a form with recently typed sensitive information? Is there a better way to do what I am doing?

Answer 1

Encrypting your requests and response via SSL is good first step, but it is not a solution in itself. HTTPS traffic can be intercepted and man-in-the-middle attacks are a real concern, particular on insecure networks like public wifi. Unless you can ensure that all your users are running latest and greatest platforms with all security patches applied and are always connected to secure networks directly or via a secure VPN, then you can't just brush off PII as fine because it's HTTPS. Even then, there's always zero-day exploits you can never account for.

Long and short, you should treat all sensitive PII as sacrosanct at all times and never transfer it over the line unless you have to. Initial collection is one such occasion, but that doesn't mean it should come back over the line on error. It's perfectly okay to make a user re-enter sensitive information again, and most users tend to understand why they have to. For example, if you make an error with a credit card payment form, your credit card number doesn't come back filled in already - that would be a severe violation of PCI.

So, in your controller action, you should do the following:

ModelState.Remove("SSN");
model.SSN = null;
return View(model);

That said, there's probably worse PII to potentially leak at this point. Thanks to Equifax, virtually everyone's SSN is already public. Still, it's always good to think about what data you're sending back and forth.

Answer 2

As long as you are using HTTPS, then there are no security implications.

The only way you could make it better is by doing the POST as an AJAX request in the background. Then you only need to return the error message if there is one. The only real benefit is a better user experience since they don't need to wait for a full page refresh. There's an example of that here: https://stackoverflow.com/a/6960586/1202807

But the way you're doing it is fine too.