[thelist] Protection Tip - Security Issue

Keith cache at dowebs.com
Thu Jan 17 19:22:09 CST 2002 

> My login form is written in JS. So no JS--no form. Also you need to
> know the directory you want to access, it's not in the JS code.
> 
> Since every client has her .htaccess secured directory, I figured this
> was enough security really. Primarily what I was looking for was a way
> to prevent those Apache login pop-ups.

Since JS needs to be enabled to send the username:password@ it will 
still be turned on when accessing the first page inside the protected 
directory. Try putting the following script in the head of each page inside 
the direcory

<script language=javascript>
at=location.href.indexOf("@")
if(at != -1){
location.replace("http://"+location.href.substring(at+1))
}
</script>

That will strip out the username and password and reload the location. 
This not only removes the username and password from the url in the 
location but also from the history, and referrers to offsite links will not carry 
the username:password@

If JS was not required this url stripping/redirect could also probably be 
done with a Rewrite Rule in the htaccess file following the require valid-
user statement.

keith




> 
> Good point. Need to check for any outbound links.
> 
> >There's a million ways to do this with scripting languages. In fact,
> >there's an article on exactly this on evolt right now in PHP:
> >
> >http://www.evolt.org/article/Creating_a_Login_Script_with_PHP_4/17/19
> >661/ind ex.html
> 
> Excellent reading. Already posted this question as a comment, but
> maybe I'm more likely to get a quick response here: Is there any way
> to access and use the .htpasswd file for authentication along with
> jesteruk's login script?
> 
> >- From a serious security standpoint, whether the user can see the
> >info or not is really irrelevant. A serious hacker could packet sniff
> >his own connection to see the un/pw fly by in clear text, whether it
> >was visible in the browser or not. But THAT is a whole other topic
> >for another day... :-)
> 
> I guess that's true. I was mainly concerned about others' looks over
> the user's shoulder.
> 
> thx again
> -Henning
> 
> 
> -- 
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt ! 
>

More information about the thelist mailing list