Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

How can I prevent login information from appearing in the URL?

by rodry (Beadle)
on Apr 15, 2000 at 09:38 UTC ( #7692=categorized question: print w/replies, xml ) Need Help??
Contributed by rodry on Apr 15, 2000 at 09:38 UTC
Q&A  > CGI programming


I have a simple login script that takes the login information from a form and authenticates the user. It works fine but I am concerned about the login information showing on the URL. Anyone looking at the users monitor can see the login/password combination.

Is there a way to "hide" this sensitive information in the URL?

Answer: How can I prevent login information from appearing in the URL?
contributed by turnstep

Try using a POST and a cookie: once they log in through a POST request (which has no information in the URL), set a cookie with the login information. Then, on subsequent pages, you can still use simple HREF's to go to other scripts, and the login information will be sent via the browser, but not show in the URL. If you are not using cookies, just continue to use POST and throw the login information into a hidden form. A smart script would even figure out if you are using cookies and write the page with either normal HREF's or POST-HIDDEN-SUBMIT combos.

Answer: How can I prevent login information from appearing in the URL?
contributed by SmokeyB

To make it simple, just make sure your form method = post.

<form action="youscript.cgi" method='post'>
Answer: How can I prevent login information from appearing in the URL?
contributed by cianoz

I suggest using server side sessions since you have to exchange only a session ID with the client. (the session ID can be expired once the session terminates) the Session ID can be stored in a cookie (better) or in the url (only if the client doesn't support cookies) Apache::Session could be of some help: it takes care of generating session IDs, storing data etc... once the session is initialized you can use it as a normal hash. you can even store complex data structures since it uses Data::Dumper (it doesn't need mod_perl as the name would suggest)

Answer: How can I prevent login information from appearing in the URL?
contributed by athomason

I would strongly recommended against sending any sensitive information via GET (i.e. in URLs), encrypted or not. While simple scrambling may do for over-the-shoulder password stealers, some small providers (e.g. companies, schools) log HTTP requests; an insidious sysadmin might try to piece together the original info. Granted, it's a longshot, but you gain both security and readability (read: typeability) of the URL by using POST. You can't give somebody the URL of a filled out POST form result, but that's not likely to be an issue when authentication is required anyhow. As the above posters mentioned, cookies may be a useful part of the system.

Please (register and) log in if you wish to add an answer

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others making s'mores by the fire in the courtyard of the Monastery: (5)
    As of 2020-08-03 12:40 GMT
    Find Nodes?
      Voting Booth?
      Which rocket would you take to Mars?

      Results (27 votes). Check out past polls.