Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Link Issue

by Anonymous Monk
on Jul 08, 2005 at 15:03 UTC ( #473436=perlquestion: print w/ replies, xml ) Need Help??
Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks, I have a program that has a simple log in, like an input for a user name and password, but my problem is that the perl program prints the information on the screen like:
<a href=\"login.pl?un=1&x=1&u=$user_name&p=$pass_w\">$all_names</a>

My question is how could I hide this information from the user after it gets clicked to go to another program on the browser screen? There is a way to encrypt it?
Thanks for the help! When the code runs this link gets printed, and no

Comment on Link Issue
Download Code
Re: Link Issue
by dazzle (Sexton) on Jul 08, 2005 at 15:17 UTC
    Um, I think you want to look into using a session for this kind of data.

    A session is a set of data maintained on the Web server that is uniquely associated with a single Web browser instance (normally via a cookie setting) -- so the user can enter their password once (hopefully via https), transmit it to the server, and have the server keep it locally until the end of the session (explicit log out or default time out).

    See CGI::Session for one implementation of the standard solution for this kind of problem.

Re: Link Issue
by dirac (Beadle) on Jul 08, 2005 at 15:42 UTC
    You can encrypt it with MD5
    #!/usr/bin/perl -w
    use strict;
    
    use Digest::MD5 qw(md5_hex md5_base64);
    
    my $user = "User";
    my $passwd = md5_hex("mypassword"); 
    print $passwd,"\n"; 
    print "<a href='login.pl?user=$user&passwd=$passwd'>all_names</a>\n";
    
    my $storedPasswd = "mypassword";
    my $digestStored = md5_hex($storedPasswd);
    
    print "Passwd OK\n" if $digestStored eq $passwd;
    
    
      Thanks, I think that using MD5 will do the trick.
      The problem with this scheme is that, although you've hidden the password, you've made the MD5 of the password equivalent to the password for your application. For example, if I sniff or shoulder-surf a session from this user and see that they're using user=sgifford&passwd=MD5ENCODEDSTRING, then I can simply log on to your system by sending these same parameters, even though I don't know the password.

      You really want to consider using sessions here, or just putting the username and password in hidden form fields to protect them from shoulder-surfing, and using SSL to protect them across the network.

Re: Link Issue
by pbeckingham (Parson) on Jul 08, 2005 at 19:29 UTC

    I think what you really want is to use HTTP POST instead of HTTP GET, and then you won't be seeing the user and password in the browser. It doesn't, however, make it more secure.



    pbeckingham - typist, perishable vertebrate.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://473436]
Approved by Tanalis
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (8)
As of 2014-12-28 15:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (182 votes), past polls