Form passwords cached when redisplayed?


Your skill will accomplish what the force of many cannot
	PerlMonks

Form passwords cached when redisplayed?

by markjugg (Curate)

on Apr 06, 2001 at 18:50 UTC ( #70482=perlquestion: print w/ replies, xml )

Need Help??

markjugg has asked for the wisdom of the Perl Monks concerning the following question:

I've recently begun using HTML::FillInForm to redisplay CGI forms with errors highlighted. I'm curious about security issues with redisplaying password fields.

It seems that if I'm sending the password the server as plain text, the security is not much worse to have it sent back as plain text. However, would having the password field pre-filled possibly cause a browser to cache it in that state? I realize this question isn't specific to Perl, but I thought someone might have a pointer on it. Thanks!

-mark

Comment on Form passwords cached when redisplayed?
Re: Form passwords cached when redisplayed? by Masem (Monsignor) on Apr 06, 2001 at 18:57 UTC
There's no clear-cut answer to this, as it's going to vary from browser to browser. On occasions where I can such a situation, the browser (IE or Opera for Win) password fields are cleared out, but I can't easily verify this. IMO, I would never transmit back a password, and use whatever is needed to remove it from a form; eg if you ask the user that wants to change their password to type in the old password and the new password twice, I would send neither back if the new password verification failed, making sure the user enters both old and new again. I know you can do this easily with CGI.pm, and would suspect you can do it too with that module. Dr. Michael K. Neylon - mneylon-pm@masemware.com \|\| "You've left the lens cap of your mind on again, Pinky" - The Brain	[reply]
Re: Form passwords cached when redisplayed? by andye (Curate) on Apr 06, 2001 at 20:53 UTC
If the page is cached in the browser, then the password will be visible in the page's source, even if the browser doesn't display it in the form. If the page is the result of a POST though, then it shouldn't be cached (although that's up to the browser). andy.	[reply]
Re: Form passwords cached when redisplayed? by markjugg (Curate) on Apr 06, 2001 at 21:16 UTC
I think I found in good answer in the docs for CGI.pm: Some browsers, such as Internet Explorer, cache the output of CGI scripts. Others, such as Netscape Navigator do not. This leads to annoying and inconsistent behavior when going from one browser to another. You can force the behavior to be consistent by using the -expires parameter -mark	[reply]
Re: Re: Form passwords cached when redisplayed? by andye (Curate) on Apr 07, 2001 at 19:39 UTC
You can force the behavior to be consistent by using the -expires parameter Unfortunately this doesn't work in all cases. Would that it did, it would make my life easier. Even in mainstream browsers, the user can override the `-expires` parameter by fiddling around with the caching settings. It's never safe to assume that your page won't be cached. andy.	[reply] [d/l]
Re: Re: Re: Form passwords cached when redisplayed? by Anonymous Monk on Jan 12, 2002 at 16:55 UTC
> Even in mainstream browsers, the user can override the - > expires parameter by fiddling around with the caching > settings. That by itself might not be a big problem, I think. I have my browser set to cache everything, but this is my personal computer in my house that only I have access to, so it's not so much of a security problem for the password to be sent back in plain text. It could be trouble for a user who sets their browser to cache everything without understanding the security implications, though.	[reply]

Back to Seekers of Perl Wisdom

Node Status
node history Node Type: perlquestion [id://70482] Approved by root help
Community Ads

Chatterbox
and the web crawler heard nothing... How do I use this? \| Other CB clients
Other Users
Others exploiting the Monastery: (10) GrandFather atcroft herveus Eyck biohisham Haarg matze77 lamprecht gnosti im2 As of 2009-11-21 09:02 GMT
Sections
The Monastery Gates Seekers of Perl Wisdom Meditations PerlMonks Discussion Categorized Q&A Tutorials Obfuscated Code Perl Poetry Cool Uses for Perl Perl News
Information
PerlMonks FAQ Guide to the Monastery What's New at PerlMonks Voting/Experience System Tutorials Reviews Library Perl FAQs Other Info Sources
Find Nodes
Nodes You Wrote Super Search List Nodes By Users Newest Nodes Recently Active Threads Selected Best Nodes Best Nodes Worst Nodes Saints in our Book
Leftovers
The St. Larry Wall Shrine Offering Plate Awards Craft Snippets Section Code Catacombs Quests Editor Requests Buy PerlMonks Gear PerlMonks Merchandise Planet Perl Perlsphere Use Perl Perl.com Perl 5 Wiki Perl Jobs Perl Mongers Perl Directory Perl documentation CPAN Random Node
Voting Booth
Future historians will find that the material characteristic of the current era is... Aluminium Plastic Oil Water Carbon dioxide Copper Iron Silicon Salt Uranium Hydrogen Other Results (729 votes), past polls

Form passwords cached when redisplayed?

Future historians will find that the material characteristic of the current era is...