go ahead... be a heretic | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
Hi
I've been asked to investigate security problems with web pages
that I've been working on.
One set of pages uses the .htaccess file in the directory, thus the user is asked for a user name and password before accessing any web pages in that directory or sub directory. How secure is .htaccess. Is the user name and password encrypted when it sent to the server and how safe/good is the encryption. The server is sitting behind the firewall, which means people outside of the organisation cannot access/view it, which must be a good thing. The second set of pages takes a username from a main login screen and inserts it in to a hidden field, which I know is not hidden because it can be seen in the source code. This username is then passed as a variable to a new screen via POST method, and is checked against a database. Is it possible for for a user to access a web page with out going through the main login screen, and inserting a username in the parameters??? Many thanks in advance. Anthony ps I know the Perl faq on security tips Q41: Can people see or change the values in "hidden" form variables? does answer part of the second problem, but I do not know, or understand how a user can replace variables that are posted. In reply to CGI Security by ant
|
|