Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Form passwords cached when redisplayed?

by markjugg (Curate)
on Apr 06, 2001 at 18:50 UTC ( #70482=perlquestion: print w/ replies, xml ) Need Help??
markjugg has asked for the wisdom of the Perl Monks concerning the following question:

I've recently begun using HTML::FillInForm to redisplay CGI forms with errors highlighted. I'm curious about security issues with redisplaying password fields.

It seems that if I'm sending the password the server as plain text, the security is not much worse to have it sent back as plain text. However, would having the password field pre-filled possibly cause a browser to cache it in that state? I realize this question isn't specific to Perl, but I thought someone might have a pointer on it. Thanks!

-mark

Comment on Form passwords cached when redisplayed?
Re: Form passwords cached when redisplayed?
by Masem (Monsignor) on Apr 06, 2001 at 18:57 UTC
    There's no clear-cut answer to this, as it's going to vary from browser to browser. On occasions where I can such a situation, the browser (IE or Opera for Win) password fields are cleared out, but I can't easily verify this.

    IMO, I would never transmit back a password, and use whatever is needed to remove it from a form; eg if you ask the user that wants to change their password to type in the old password and the new password twice, I would send neither back if the new password verification failed, making sure the user enters both old and new again. I know you can do this easily with CGI.pm, and would suspect you can do it too with that module.


    Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain
Re: Form passwords cached when redisplayed?
by andye (Curate) on Apr 06, 2001 at 20:53 UTC
    If the page is cached in the browser, then the password will be visible in the page's source, even if the browser doesn't display it in the form. If the page is the result of a POST though, then it shouldn't be cached (although that's up to the browser).

    andy.

Re: Form passwords cached when redisplayed?
by markjugg (Curate) on Apr 06, 2001 at 21:16 UTC
    I think I found in good answer in the docs for CGI.pm:

    Some browsers, such as Internet Explorer, cache the output of CGI scripts. Others, such as Netscape Navigator do not. This leads to annoying and inconsistent behavior when going from one browser to another. You can force the behavior to be consistent by using the -expires parameter

    -mark

      You can force the behavior to be consistent by using the -expires parameter

      Unfortunately this doesn't work in all cases. Would that it did, it would make my life easier.

      Even in mainstream browsers, the user can override the -expires parameter by fiddling around with the caching settings. It's never safe to assume that your page won't be cached.

      andy.

        > Even in mainstream browsers, the user can override the -
        > expires parameter by fiddling around with the caching
        > settings.

        That by itself might not be a big problem, I think. I have my browser set to cache everything, but this is my personal computer in my house that only I have access to, so it's not so much of a security problem for the password to be sent back in plain text. It could be trouble for a user who sets their browser to cache everything without understanding the security implications, though.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://70482]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (8)
As of 2014-09-02 02:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite cookbook is:










    Results (18 votes), past polls