[thelist] Protection Tip - Security Issue
Henning
evolt at webmediaconception.com
Thu Jan 17 01:53:23 CST 2002
@Erich & Anthony
I appreciate your feedback!
>- This is generally a bad idea if security is important. With script code,
>like ASP, CF or PHP you can do this w/o the user seeing the un and pw in the
>URL. The un and pw remain hidden in your server-side script or db and are
>never displayed to the user.
I'm using this on a server that has previews and other info for clients.
Security is not *the* highest concern. The server doesn't support any
server side scripting--it's for really simple sites only.
>- Presumably, you're using JS to 'hide' the un/pw in the address bar. What
>if they turn JS off? What if they just view your source to see where the
>link goes, or the JS code would go?
My login form is written in JS. So no JS--no form. Also you need to know
the directory you want to access, it's not in the JS code.
Since every client has her .htaccess secured directory, I figured this was
enough security really.
Primarily what I was looking for was a way to prevent those Apache login
pop-ups.
>- Another big deal with using the username:password at http://www.myurl.com is
>that any links they might click from those pages will have the referrer to
>your page - including the un/pw.
Good point. Need to check for any outbound links.
>There's a million ways to do this with scripting languages. In fact, there's
>an article on exactly this on evolt right now in PHP:
>
>http://www.evolt.org/article/Creating_a_Login_Script_with_PHP_4/17/19661/ind
>ex.html
Excellent reading. Already posted this question as a comment, but maybe I'm
more likely to get a quick response here:
Is there any way to access and use the .htpasswd file for authentication
along with jesteruk's login script?
>- From a serious security standpoint, whether the user can see the info or
>not is really irrelevant. A serious hacker could packet sniff his own
>connection to see the un/pw fly by in clear text, whether it was visible in
>the browser or not. But THAT is a whole other topic for another day... :-)
I guess that's true. I was mainly concerned about others' looks over the
user's shoulder.
thx again
-Henning
More information about the thelist
mailing list