Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number

Re: Re: CGI Security

by ant (Scribe)
on Jun 22, 2001 at 17:41 UTC ( #90709=note: print w/replies, xml ) Need Help??

in reply to Re: CGI Security
in thread CGI Security

Thanks for your reply(and to everyone else who replied)
In the last paragraph you mentioned secure servers.
Does all data that's sent through a secure server have a higher
level of encryption? Is it still possible for people to edit
the hidden variables in a form and send it back to the server.
And one final question whats is an ecoded form? And whats the
difference between a ecoded form and an encrypted form.
Thanks again for your help in advance.


Replies are listed 'Best First'.
Re: Re: Re: CGI Security
by mirod (Canon) on Jun 22, 2001 at 18:23 UTC

    "ecoded" is a typo, and I am surprised chipmunk did not notice it ;--( When I (tried to!) use "encoded" on the other hand I meant that although the data is not transmitted in clear text anybody can decode it without needing a secret password. I would use "encrypted" for data that, even if intercepted by evil creatures, could not be made sense of without additional information (a private password).

    In your case, if you don't trust your users the "hidden field holding the user name" trick will still be dangerous as a "legal" user could then guess another usrs login, change the form and act as if it were the other user. But regular authentication using a .htaccess file would work just fine I think.

      Hi Mirod
      Thanks for the brief explanation. It's cleared up a misty
      point or two. Just a thought on the last paragraph really
      if a legal user came in to the directory through .htaccess,
      then they could enter someone elses username into the web page
      and submit that file, which makes .htaccess a little useless
      against legal users playing around with user names.
      Unfortunately user names are very easy to pick up through
      our organisation, as they are the same as the individual email name.
      I think the one way forward is to create a timestamp/username
      variable and enter that into a table/file when the user enters the
      system and to remove it after the person has left. Then
      when a person enters a web page, we take the user variable
      and check it against the user variable in the table/file.
      That seems like a more workable solution to me
      Many thanks for the info.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://90709]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (1)
As of 2023-09-21 22:32 GMT
Find Nodes?
    Voting Booth?

    No recent polls found