Securing the URL

Granite has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: Securing the URL by turnstep (Parson) on Jan 12, 2001 at 04:11 UTC
You could: ...use POST instead of GET ...obfuscate the string with some very simple encryption (basically a substitution cypher) ...make the password the last entry, and have some other long params, so that the tail of it would not be viewable, like this: `http://www.biglumber.com/cgi-bin/joke.pl?active=on&&HowManyProgrammers +DoesItTakeToScrewInALightbulb=thejoke&thepunchline=hidden&password=pe +rlrocks` [download] ...buy the C.H.I.M.P. and switch apps when someone approaches. :)	[reply] [d/l]
Re: Securing the URL by Fastolfe (Vicar) on Jan 12, 2001 at 04:30 UTC
Why can't you use something like HTTP authentication? Passing usernames and passwords around in URL's and form fields seems kind of messy. Update: Perhaps I should elaborate in light of the number of negative votes this post is aquiring: Since you say you have control over the CGI, I assume that extends to development. Passing passwords via URL strings like this not only allows prying eyes to see quite clearly what's going on, but it allows anyone peeking at your web server's access logs to gleam usernames and passwords as well. Putting this information in HTML hidden form fields is only marginally better. Using SSL is a bit better than that, but you've still got to code in an entire authentication mechanism with your CGI. Instead of doing all of this, why don't you consider using HTTP authentication, which is built in to most any real web server, and would allow your browser and server to do the job of authenticating, allowing your script to comfortably assume $ENV{HTTP_USER} is, in fact, the user currently logged in. This is considerably safer and easier than trying to build and manage an authentication system in CGI, especially if you're going to take the road to obfuscation to keep the data as 'secure' as you can.	[reply]
Re: Securing the URL by eg (Friar) on Jan 12, 2001 at 04:12 UTC
You can use forms (with post) rather than links (although anyone listening on your network can still see the password.) Or you can encrypt the password with DES or something (although the encrypted password would still be visible -- presumably it's harder to shoulder surf a long random string, though.) Personally, I'd look for ways to not pass the password around from page to page. Usually this means setting a session-based cookie or session id. This means even if someone captures the session id, once the (verified) user logs off (or the session expires), the stolen id is useless.	[reply]
Re: Securing the URL by mkmcconn (Chaplain) on Jan 12, 2001 at 06:49 UTC
It would be better to use .htaccess, if you can. Googlereturns lots of links. It would be better to put the username and password on two separate form submissions. Here's help There's no reason that the "password" parameter has to be called "pass" or any permutations thereof. I hope this is helpful to you mkmcconn	[reply]
Re: Securing the URL by lhoward (Vicar) on Jan 12, 2001 at 03:50 UTC
Unless you have control over that cgi, or can write another cgi that knows your password and will proxy the request; I don't see how you can do it.	[reply]
Re: Re: Securing the URL by Granite (Initiate) on Jan 12, 2001 at 03:57 UTC
I have control over that cgi-script if you mean that. Granite	[reply]
Re: Securing the URL by gildir (Pilgrim) on Jan 12, 2001 at 19:23 UTC
Use POST method in your form tag, like this: `<FORM METHOD='POST' ACTION='http:.....'> ... <FORM>` [download] and use SSL to encrypt your password during transmission. POST method will help you hide the password, but it will be transmited through Internet in plaintext unless you use SSL. Reffer to your web server documentation on using SSL.	[reply] [d/l]


Perl Monk, Perl Meditation
	PerlMonks