[thelist] Protection Tip - Security Issue

Eric Engelmann eric.engelmann at geonetric.com
Wed Jan 16 23:17:28 CST 2002 

-----Original Message-----
>Here's syntax to create a link to bypass that box and go directly into the
>protected directory:
>
>http://username:password@http://www.domain.com/protected_folder.
Anybody have a better solution for this?

- This is generally a bad idea if security is important. With script code,
like ASP, CF or PHP you can do this w/o the user seeing the un and pw in the
URL. The un and pw remain hidden in your server-side script or db and are
never displayed to the user.

Example:

index.html
	* has form with un/pw fields
	* submits to any page with:

include file: authenticate.asp
	* gets the un, pw from the form collection
	* checks them (against a database or hardcoded list or however you want)
	* if ok, let's you view the page
	* if not, redirects to an error page.

There's a million ways to do this with scripting languages. In fact, there's
an article on exactly this on evolt right now in PHP:

http://www.evolt.org/article/Creating_a_Login_Script_with_PHP_4/17/19661/ind
ex.html

If you're looking for a way to integrate with Apache or Windows' Basic
authentication, that gets a bit tougher... in IIS, you can use authentix:

- There are third party apps like Authentix for IIS (www.Flicks.com) that
you can use to get rid of the pop-up browser authentication and replace it
with nice forms and easy to use admin capabilities, too. Have used authentix
many times and been happy with it. I'm not sure if there's an easy Apache
way to do this.

- Another big deal with using the username:password at http://www.myurl.com is
that any links they might click from those pages will have the referrer to
your page - including the un/pw. So if you linked to my site from that page,
the un/pw+URL would show up in MY log files, presumably a big security
no-no, depending on what you're using this for.

- Presumably, you're using JS to 'hide' the un/pw in the address bar. What
if they turn JS off? What if they just view your source to see where the
link goes, or the JS code would go?

- From a serious security standpoint, whether the user can see the info or
not is really irrelevant. A serious hacker could packet sniff his own
connection to see the un/pw fly by in clear text, whether it was visible in
the browser or not. But THAT is a whole other topic for another day... :-)

Is there a particular example you have in mind that I can apply this to?
This can go a million directions.

Hope that helps.

- Eric

More information about the thelist mailing list