Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Re: Re: ENV{'REMOTE_USER'} is it safe?

by spacey (Scribe)
on Sep 28, 2003 at 19:25 UTC ( [id://294788]=note: print w/replies, xml ) Need Help??


in reply to Re: ENV{'REMOTE_USER'} is it safe?
in thread ENV{'REMOTE_USER'} is it safe?

Thanks for the clarification
I was concerned that a user who may have already authenticated would be able to push a modified REMOTE_USER variable.

Replies are listed 'Best First'.
Re: Re: Re: ENV{'REMOTE_USER'} is it safe?
by DrHyde (Prior) on Sep 29, 2003 at 08:18 UTC
    In theory they can. Because HTTP is stateless, the username and password have to be supplied again for each request. Users don't see this because the browser handles it for them. In practice they can't, because most (all?) browsers don't give the user an easy way to change their username and password once they have successfully logged in to your site, but some might, and if they are using their own program or talking raw HTTP at your server or something similar then all bets are off.

    Even so, if the user *can* send some other username/password, that username/password would still have to be accepted by your web server before they could get at any content so it's probably not something you need to worry about.

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://294788]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others scrutinizing the Monastery: (5)
As of 2024-04-18 14:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found