Okay. I use IE. It has something called "inline autocomplete" for web
addresses.
Lets say someone else uses my machine. They could type in "http://www." and
get all the urls beginning with "www." and then put in "a" then "b" then "c"
etc... and at some point they would be able to see a url with a password in
it!
If the URL did not contain the password, they would not be able to see it.
They may (and it's only may depending on coding) be able to see the page
using the posted form contents.
Lets say it was passed in the form variable. At the very least, this would
stop a casual user being able to accidentally see
"http://www.somewhere.com/admin/login.cfm?username=myuser&password=mypass"
That is why I used the term "at the very least".
Lets just say that it is the least the programmer should do.
Paul
> -----Original Message-----
> From: Steve Martin [mailto:[EMAIL PROTECTED]]
> Sent: 07 November 2000 12:34
> To: CF-Talk
> Subject: RE: Passing PWs via URL bar
>
>
> "Passing it through the HTTP header as a form variable would be
> more secure
> at the very least."
>
> I wouldn't say so. If the value is passed either via URL or by form field
> the data is still plaintext and can be intercepted either way.
>
> >
> > Jake,
> >
> > I would suggest using javascript to encrypt the pw string if you HAVE to
> > pass it through the URL string (I am assuming here that it has
> > been inputted
> > in a text field and it can't be passed any other way). If you are only
> > going to store the variable and don't need to know what the
> > string is then I
> > suggest one-way hashing with the MD5 algorithm. If you need to know the
> > password string, then I suggest that you find some way of not passing it
> > into the URL. Passing it through the HTTP header as a form
> variable would
> > be more secure at the very least.
> >
> > Moral of story: do your best never to pass passwords through the
> > URL string.
> >
> > Paul
> >
> > PS You can ensure that the user is using Javascript by writing a
> > Javascript
> > redirect to itself with an added URL string of js=yes and a timestamp of
> > some sort so that CF can stop it if the user tries to hack into
> > the page at
> > a later time. If you want to know what I mean, email me off list.
> >
> > > -----Original Message-----
> > > From: Jake Hileman - Patmos [mailto:[EMAIL PROTECTED]]
> > > Sent: 06 November 2000 16:06
> > > To: CF-Talk
> > > Subject: Passing PWs via URL bar
> > >
> > >
> > > Any idea how I can encode/encrypt a pw to be passed via the URL bar?
> > > Encrypt and URLEncode don't play nice together. :-)
> > >
> > >
> > > Any ideas?
> > >
> > > jake
> > >
> > > ------------------------------------------------------------------
> > > ------------------------------
> > > Archives: http://www.mail-archive.com/[email protected]/
> > > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> > > or send a message with 'unsubscribe' in the body to
> > > [EMAIL PROTECTED]
> > >
> >
> >
> > ------------------------------------------------------------------
> > ------------------------------
> > Archives: http://www.mail-archive.com/[email protected]/
> > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> > or send a message with 'unsubscribe' in the body to
> > [EMAIL PROTECTED]
>
> ------------------------------------------------------------------
> ------------------------------
> Archives: http://www.mail-archive.com/[email protected]/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> or send a message with 'unsubscribe' in the body to
> [EMAIL PROTECTED]
>
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
