Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New to the CF scene
    Join Date
    Dec 2004
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question How to prevent form values from appearing on the address bar? (SECURITY ISSUE)

    im quite a newbie on security issues, but im aware of user's and admin's concerns when it comes to web security.

    one concern is preventing a user from typing in or pasting on the address bar a previously entered and VALID login id and password combination, and being granted access to the pages inside.

    (i.e.: "http://10.0.129.122:9000/cgi-bin/www_login.ksh?x_coord=roselyn&y_coord=Sales&yy_coord=&action.x=0&action.y=0")

    roselyn is the login and Sales is the password. with my setup, an unauthorized user could just paste that URL and viola, instant access to the pages.

    is there any way in JavaScript in which the values would not appear on the address bar when being submitted, thus not being saved in the History pages or autocomplete? but the values would still be passed to the corresponding file/script (i.e. to "/cgi-bin/www_login.ksh").

    here's the form sequence--> action goes to "/cgi-bin/www_login.ksh". then that .ksh runs login.cgi.

    i dont want to disturb the .ksh and .cgi files anymore so im now trying to look for a solution using JavaScript and HTML.

    thanks in advance!


  • #2
    Banned
    Join Date
    Sep 2003
    Posts
    3,620
    Thanks
    0
    Thanked 0 Times in 0 Posts
    What method are you using post or get??
    Sounds like you are using get when you should be using post....

    .....Willy

  • #3
    New to the CF scene
    Join Date
    Dec 2004
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    yup, im using "get" coz my script (.ksh) uses QUERY_STRING which takes the value of name=value.

    hmm any suggestions?

    thanks

  • #4
    Senior Coder joh6nn's Avatar
    Join Date
    Jun 2002
    Location
    72 W. 48' 57" , 41 N. 32' 04"
    Posts
    1,887
    Thanks
    0
    Thanked 1 Time in 1 Post
    javascript won't be able to help you here; you need to change your cgi script to only accept POST. sorry
    bluemood | devedge | devmo | MS Dev Library | WebMonkey | the Guide

    i am a loser geek, crazy with an evil streak,
    yes i do believe there is a violent thing inside of me.

  • #5
    New to the CF scene
    Join Date
    Dec 2004
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by joh6nn
    javascript won't be able to help you here; you need to change your cgi script to only accept POST. sorry

    oh ok.. thanks! so using POST would leave the address bar as it is and not show any values?

  • #6
    Senior Coder joh6nn's Avatar
    Join Date
    Jun 2002
    Location
    72 W. 48' 57" , 41 N. 32' 04"
    Posts
    1,887
    Thanks
    0
    Thanked 1 Time in 1 Post
    yeah, that's pretty much THE difference between Post and Get. the guys over in the server side forums should be able to help you change your cgi to work with Post.
    bluemood | devedge | devmo | MS Dev Library | WebMonkey | the Guide

    i am a loser geek, crazy with an evil streak,
    yes i do believe there is a violent thing inside of me.

  • #7
    New to the CF scene
    Join Date
    Dec 2004
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    alright, thanks


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •