|We don't bite newbies here... much|
Re: Re: Re: Re: CGI Securityby ant (Scribe)
|on Jun 22, 2001 at 19:34 UTC||Need Help??|
Thanks for the brief explanation. It's cleared up a misty
point or two. Just a thought on the last paragraph really
if a legal user came in to the directory through .htaccess,
then they could enter someone elses username into the web page
and submit that file, which makes .htaccess a little useless
against legal users playing around with user names.
Unfortunately user names are very easy to pick up through
our organisation, as they are the same as the individual email name.
I think the one way forward is to create a timestamp/username
variable and enter that into a table/file when the user enters the
system and to remove it after the person has left. Then
when a person enters a web page, we take the user variable
and check it against the user variable in the table/file.
That seems like a more workable solution to me
Many thanks for the info.