Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Re: Re: Re: CGI Security

by mirod (Canon)
on Jun 22, 2001 at 18:23 UTC ( [id://90728]=note: print w/replies, xml ) Need Help??


in reply to Re: Re: CGI Security
in thread CGI Security

"ecoded" is a typo, and I am surprised chipmunk did not notice it ;--( When I (tried to!) use "encoded" on the other hand I meant that although the data is not transmitted in clear text anybody can decode it without needing a secret password. I would use "encrypted" for data that, even if intercepted by evil creatures, could not be made sense of without additional information (a private password).

In your case, if you don't trust your users the "hidden field holding the user name" trick will still be dangerous as a "legal" user could then guess another usrs login, change the form and act as if it were the other user. But regular authentication using a .htaccess file would work just fine I think.

Replies are listed 'Best First'.
Re: Re: Re: Re: CGI Security
by ant (Scribe) on Jun 22, 2001 at 19:34 UTC
    Hi Mirod
    Thanks for the brief explanation. It's cleared up a misty
    point or two. Just a thought on the last paragraph really
    if a legal user came in to the directory through .htaccess,
    then they could enter someone elses username into the web page
    and submit that file, which makes .htaccess a little useless
    against legal users playing around with user names.
    Unfortunately user names are very easy to pick up through
    our organisation, as they are the same as the individual email name.
    I think the one way forward is to create a timestamp/username
    variable and enter that into a table/file when the user enters the
    system and to remove it after the person has left. Then
    when a person enters a web page, we take the user variable
    and check it against the user variable in the table/file.
    That seems like a more workable solution to me
    Many thanks for the info.
    Anthony
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://90728]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others wandering the Monastery: (6)
As of 2024-04-18 00:44 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found