Re: Hiding Parameters passed to a CGI script?

Replies are listed 'Best First'.
Re^2: Hiding Parameters passed to a CGI script? by Spidy (Chaplain) on Nov 24, 2005 at 21:31 UTC
I'm planning on passing information to my script, like the user's username, password, e-mail, and various other things. However, I'd rather not be sending them using something like "index.cgi?page=1;uname=test;pword=fbdDFH34;email=email@isp.com", for example. If possible, I'd rather send the parameters to the script, but not have the user's able to see them, or somehow hide them so that someone taking a look at the URL wouldn't be able to find the values easily. My Website Get Eated!	[reply]
Re^3: Hiding Parameters passed to a CGI script? by chromatic (Archbishop) on Nov 24, 2005 at 21:34 UTC
You can use a form and the `POST` method to send data outside of the URL, but the problem still remains -- once you send data to the client, the client knows it. If that's good enough, that's fine. Otherwise, if you're worried about sending secret data back and forth, don't send the secret data back to the client after the client submits it. Use some sort of persistent session store (CGI::Session, for example) and send the client a session ID you can use to retrieve the session information.	[reply] [d/l]
Re^3: Hiding Parameters passed to a CGI script? by merlyn (Sage) on Nov 24, 2005 at 21:36 UTC
Use POST instead of GET on your form. They won't be part of the URL, although they will still be sniffable in the TCP stream, so use SSL (https) if that's also a problem. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]


good chemistry is complicated, and a little bit messy -LW
	PerlMonks