in reply to Re: Re: Re: CGI Security
in thread CGI Security
Hi Mirod
Thanks for the brief explanation. It's cleared up a misty
point or two. Just a thought on the last paragraph really
if a legal user came in to the directory through .htaccess,
then they could enter someone elses username into the web page
and submit that file, which makes .htaccess a little useless
against legal users playing around with user names.
Unfortunately user names are very easy to pick up through
our organisation, as they are the same as the individual email name.
I think the one way forward is to create a timestamp/username
variable and enter that into a table/file when the user enters the
system and to remove it after the person has left. Then
when a person enters a web page, we take the user variable
and check it against the user variable in the table/file.
That seems like a more workable solution to me
Many thanks for the info.
Anthony
Thanks for the brief explanation. It's cleared up a misty
point or two. Just a thought on the last paragraph really
if a legal user came in to the directory through .htaccess,
then they could enter someone elses username into the web page
and submit that file, which makes .htaccess a little useless
against legal users playing around with user names.
Unfortunately user names are very easy to pick up through
our organisation, as they are the same as the individual email name.
I think the one way forward is to create a timestamp/username
variable and enter that into a table/file when the user enters the
system and to remove it after the person has left. Then
when a person enters a web page, we take the user variable
and check it against the user variable in the table/file.
That seems like a more workable solution to me
Many thanks for the info.
Anthony
In Section
Seekers of Perl Wisdom