| [reply] [d/l] |
Why can't you use something like HTTP authentication? Passing usernames and passwords around in URL's and form fields seems kind of messy.
Update: Perhaps I should elaborate in light of the number of negative votes this post is aquiring: Since you say you have control over the CGI, I assume that extends to development. Passing passwords via URL strings like this not only allows prying eyes to see quite clearly what's going on, but it allows anyone peeking at your web server's access logs to gleam usernames and passwords as well. Putting this information in HTML hidden form fields is only marginally better. Using SSL is a bit better than that, but you've still got to code in an entire authentication mechanism with your CGI. Instead of doing all of this, why don't you consider using HTTP authentication, which is built in to most any real web server, and would allow your browser and server to do the job of authenticating, allowing your script to comfortably assume $ENV{HTTP_USER} is, in fact, the user currently logged in. This is considerably safer and easier than trying to build and manage an authentication system in CGI, especially if you're going to take the road to obfuscation to keep the data as 'secure' as you can. | [reply] |
You can use forms (with post) rather than links (although anyone listening on your network can still see the password.) Or you can encrypt the password with DES or something (although the encrypted password would still be visible -- presumably it's harder to shoulder surf a long random string, though.)
Personally, I'd look for ways to not pass the password around from page to page. Usually this means setting a session-based cookie or session id. This means even if someone captures the session id, once the (verified) user logs off (or the session expires), the stolen id is useless.
| [reply] |
It would be better to use .htaccess, if you can. Googlereturns lots of links.
It would be better to put the username and password
on two separate form submissions. Here's help
There's no reason that the "password" parameter has
to be called "pass" or any permutations thereof.
I hope this is helpful to you
mkmcconn
| [reply] |
Unless you have control over that cgi, or can write another cgi that knows your
password and will proxy the request; I don't see how you
can do it. | [reply] |
I have control over that cgi-script if you mean that.
Granite
| [reply] |
Use POST method in your form tag, like this:
<FORM METHOD='POST' ACTION='http:.....'>
...
<FORM>
and
use SSL to encrypt your password during transmission. POST method will help you hide the password,
but it will be transmited through Internet in plaintext unless you use SSL.
Reffer to your web server documentation on using SSL.
| [reply] [d/l] |