[thelist] Protection Tip - Security Issue

Henning evolt at webmediaconception.com
Thu Jan 17 01:53:23 CST 2002


@Erich & Anthony
I appreciate your feedback!

>- This is generally a bad idea if security is important. With script code,
>like ASP, CF or PHP you can do this w/o the user seeing the un and pw in the
>URL. The un and pw remain hidden in your server-side script or db and are
>never displayed to the user.

I'm using this on a server that has previews and other info for clients. 
Security is not *the* highest concern. The server doesn't support any 
server side scripting--it's for really simple sites only.

>- Presumably, you're using JS to 'hide' the un/pw in the address bar. What
>if they turn JS off? What if they just view your source to see where the
>link goes, or the JS code would go?

My login form is written in JS. So no JS--no form. Also you need to know 
the directory you want to access, it's not in the JS code.

Since every client has her .htaccess secured directory, I figured this was 
enough security really.
Primarily what I was looking for was a way to prevent those Apache login 
pop-ups.

>- Another big deal with using the username:password at http://www.myurl.com is
>that any links they might click from those pages will have the referrer to
>your page - including the un/pw.

Good point. Need to check for any outbound links.

>There's a million ways to do this with scripting languages. In fact, there's
>an article on exactly this on evolt right now in PHP:
>
>http://www.evolt.org/article/Creating_a_Login_Script_with_PHP_4/17/19661/ind
>ex.html

Excellent reading. Already posted this question as a comment, but maybe I'm 
more likely to get a quick response here:
Is there any way to access and use the .htpasswd file for authentication 
along with jesteruk's login script?

>- From a serious security standpoint, whether the user can see the info or
>not is really irrelevant. A serious hacker could packet sniff his own
>connection to see the un/pw fly by in clear text, whether it was visible in
>the browser or not. But THAT is a whole other topic for another day... :-)

I guess that's true. I was mainly concerned about others' looks over the 
user's shoulder.

thx again
-Henning





More information about the thelist mailing list