im quite a newbie on security issues, but im aware of user's and admin's concerns when it comes to web security.

one concern is preventing a user from typing in or pasting on the address bar a previously entered and VALID login id and password combination, and being granted access to the pages inside.

(i.e.: "http://10.0.129.122:9000/cgi-bin/www_login.ksh?x_coord=roselyn&y_coord=Sales&yy_coord=&action.x=0&action.y=0")

roselyn is the login and Sales is the password. with my setup, an unauthorized user could just paste that URL and viola, instant access to the pages.

is there any way in JavaScript in which the values would not appear on the address bar when being submitted, thus not being saved in the History pages or autocomplete? but the values would still be passed to the corresponding file/script (i.e. to "/cgi-bin/www_login.ksh").

here's the form sequence--> action goes to "/cgi-bin/www_login.ksh". then that .ksh runs login.cgi.

i dont want to disturb the .ksh and .cgi files anymore so im now trying to look for a solution using JavaScript and HTML.

thanks in advance!

:D

What method are you using post or get??
Sounds like you are using get when you should be using post....

.....Willy

yup, im using "get" coz my script (.ksh) uses QUERY_STRING which takes the value of name=value.

hmm any suggestions?

thanks :)

javascript won't be able to help you here; you need to change your cgi script to only accept POST. sorry

javascript won't be able to help you here; you need to change your cgi script to only accept POST. sorry


oh ok.. thanks! so using POST would leave the address bar as it is and not show any values?

yeah, that's pretty much THE difference between Post and Get. the guys over in the server side forums should be able to help you change your cgi to work with Post.

alright, thanks :thumbsup: