Hi I've been asked to investigate security problems with web pages that I've been working on.
One set of pages uses the .htaccess file in the directory,
thus the user is asked for a user name and password before accessing
any web pages in that directory or sub directory. How secure
is .htaccess. Is the user name and password encrypted when
it sent to the server and how safe/good is the encryption.
The server is sitting behind the firewall, which means people outside
of the organisation cannot access/view it, which must be a good thing.

The second set of pages takes a username from a main login screen
and inserts it in to a hidden field, which I know is not hidden because
it can be seen in the source code.
This username is then passed as a variable to a new screen via
POST method, and is checked against a database. Is it possible for
for a user to access a web page with out going through the main login
screen, and inserting a username in the parameters???
Many thanks in advance.

Anthony

ps I know the Perl faq on security tips
Q41: Can people see or change the values in "hidden" form variables?
does answer part of the second problem, but I do not know,
or understand how a user can replace variables that are posted.

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.