This is true, I forgot about those 'useful' aspects of modern browsers.
On that note, I believe there are programatic methods to remove URLs from
the browser's history using javascript.
Steve.
> -----Original Message-----
> From: Paul Johnston [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, November 07, 2000 12:53
> To: CF-Talk
> Subject: RE: Passing PWs via URL bar
>
>
> Okay. I use IE. It has something called "inline autocomplete" for web
> addresses.
>
> Lets say someone else uses my machine. They could type in
> "http://www." and
> get all the urls beginning with "www." and then put in "a" then
> "b" then "c"
> etc... and at some point they would be able to see a url with a
> password in
> it!
>
> If the URL did not contain the password, they would not be able to see it.
> They may (and it's only may depending on coding) be able to see the page
> using the posted form contents.
>
> Lets say it was passed in the form variable. At the very least,
> this would
> stop a casual user being able to accidentally see
> "http://www.somewhere.com/admin/login.cfm?username=myuser&password=mypass"
>
> That is why I used the term "at the very least".
>
> Lets just say that it is the least the programmer should do.
>
> Paul
>
> > -----Original Message-----
> > From: Steve Martin [mailto:[EMAIL PROTECTED]]
> > Sent: 07 November 2000 12:34
> > To: CF-Talk
> > Subject: RE: Passing PWs via URL bar
> >
> >
> > "Passing it through the HTTP header as a form variable would be
> > more secure
> > at the very least."
> >
> > I wouldn't say so. If the value is passed either via URL or by
> form field
> > the data is still plaintext and can be intercepted either way.
> >
> > >
> > > Jake,
> > >
> > > I would suggest using javascript to encrypt the pw string if
> you HAVE to
> > > pass it through the URL string (I am assuming here that it has
> > > been inputted
> > > in a text field and it can't be passed any other way). If
> you are only
> > > going to store the variable and don't need to know what the
> > > string is then I
> > > suggest one-way hashing with the MD5 algorithm. If you need
> to know the
> > > password string, then I suggest that you find some way of not
> passing it
> > > into the URL. Passing it through the HTTP header as a form
> > variable would
> > > be more secure at the very least.
> > >
> > > Moral of story: do your best never to pass passwords through the
> > > URL string.
> > >
> > > Paul
> > >
> > > PS You can ensure that the user is using Javascript by writing a
> > > Javascript
> > > redirect to itself with an added URL string of js=yes and a
> timestamp of
> > > some sort so that CF can stop it if the user tries to hack into
> > > the page at
> > > a later time. If you want to know what I mean, email me off list.
> > >
> > > > -----Original Message-----
> > > > From: Jake Hileman - Patmos [mailto:[EMAIL PROTECTED]]
> > > > Sent: 06 November 2000 16:06
> > > > To: CF-Talk
> > > > Subject: Passing PWs via URL bar
> > > >
> > > >
> > > > Any idea how I can encode/encrypt a pw to be passed via the URL bar?
> > > > Encrypt and URLEncode don't play nice together. :-)
> > > >
> > > >
> > > > Any ideas?
> > > >
> > > > jake
> > > >
> > > > ------------------------------------------------------------------
> > > > ------------------------------
> > > > Archives: http://www.mail-archive.com/[email protected]/
> > > > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> > > > or send a message with 'unsubscribe' in the body to
> > > > [EMAIL PROTECTED]
> > > >
> > >
> > >
> > > ------------------------------------------------------------------
> > > ------------------------------
> > > Archives: http://www.mail-archive.com/[email protected]/
> > > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> > > or send a message with 'unsubscribe' in the body to
> > > [EMAIL PROTECTED]
> >
> > ------------------------------------------------------------------
> > ------------------------------
> > Archives: http://www.mail-archive.com/[email protected]/
> > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> > or send a message with 'unsubscribe' in the body to
> > [EMAIL PROTECTED]
> >
>
>
> ------------------------------------------------------------------
> ------------------------------
> Archives: http://www.mail-archive.com/[email protected]/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> or send a message with 'unsubscribe' in the body to
> [EMAIL PROTECTED]
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
