RE: Passing PWs via URL bar

Tue, 07 Nov 2000 04:30:40 -0800 

"Passing it through the HTTP header as a form variable would be more secure
at the very least."

I wouldn't say so. If the value is passed either via URL or by form field
the data is still plaintext and can be intercepted either way.

>
> Jake,
>
> I would suggest using javascript to encrypt the pw string if you HAVE to
> pass it through the URL string (I am assuming here that it has
> been inputted
> in a text field and it can't be passed any other way).  If you are only
> going to store the variable and don't need to know what the
> string is then I
> suggest one-way hashing with the MD5 algorithm. If you need to know the
> password string, then I suggest that you find some way of not passing it
> into the URL.  Passing it through the HTTP header as a form variable would
> be more secure at the very least.
>
> Moral of story: do your best never to pass passwords through the
> URL string.
>
> Paul
>
> PS You can ensure that the user is using Javascript by writing a
> Javascript
> redirect to itself with an added URL string of js=yes and a timestamp of
> some sort so that CF can stop it if the user tries to hack into
> the page at
> a later time.  If you want to know what I mean, email me off list.
>
> > -----Original Message-----
> > From: Jake Hileman - Patmos [mailto:[EMAIL PROTECTED]]
> > Sent: 06 November 2000 16:06
> > To: CF-Talk
> > Subject: Passing PWs via URL bar
> >
> >
> > Any idea how I can encode/encrypt a pw to be passed via the URL bar?
> > Encrypt and URLEncode don't play nice together.  :-)
> >
> >
> > Any ideas?
> >
> > jake
> >
> > ------------------------------------------------------------------
> > ------------------------------
> > Archives: http://www.mail-archive.com/[email protected]/
> > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> > or send a message with 'unsubscribe' in the body to
> > [EMAIL PROTECTED]
> >
>
>
> ------------------------------------------------------------------
> ------------------------------
> Archives: http://www.mail-archive.com/[email protected]/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> or send a message with 'unsubscribe' in the body to
> [EMAIL PROTECTED]

------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message 
with 'unsubscribe' in the body to [EMAIL PROTECTED]

Reply via email to