in reply to Essential CGI Security Practices
Simply saying "Invalid Login" doesn't buy you any securty if you're sending in the clear over the wire, so why make it harder on the user? There are other ways of handling brute-force attacks that you are expressing worry about here (think escalating delays for failures).
On the other hand, if you are truly paranoid minimizing the information you betray about your system is probably a good thing e.g. paths, server information (HTTP headers, etc.) (unfortunately?) that means no "Powered by Apache" feathers either ;-)
As for %ENV I stand by "Re: perlsec question".
perl -pe "s/\b;([st])/'\1/mg"
|Replies are listed 'Best First'.|
Re^2: Essential CGI Security Practices
by Aristotle (Chancellor) on Feb 03, 2002 at 01:07 UTC
Re: Re: Essential CGI Security Practices
by dsheroh (Monsignor) on May 17, 2002 at 18:12 UTC
Re: Essential CGI Security Practices
by jonadab (Parson) on Sep 30, 2003 at 12:05 UTC