Form passwords cached when redisplayed?

markjugg has asked for the wisdom of the Perl Monks concerning the following question:

I've recently begun using HTML::FillInForm to redisplay CGI forms with errors highlighted. I'm curious about security issues with redisplaying password fields.

It seems that if I'm sending the password the server as plain text, the security is not much worse to have it sent back as plain text. However, would having the password field pre-filled possibly cause a browser to cache it in that state? I realize this question isn't specific to Perl, but I thought someone might have a pointer on it. Thanks!

-mark

Comment on Form passwords cached when redisplayed?

Replies are listed 'Best First'.
Re: Form passwords cached when redisplayed? by markjugg (Curate) on Apr 06, 2001 at 21:16 UTC
I think I found in good answer in the docs for CGI.pm: Some browsers, such as Internet Explorer, cache the output of CGI scripts. Others, such as Netscape Navigator do not. This leads to annoying and inconsistent behavior when going from one browser to another. You can force the behavior to be consistent by using the -expires parameter -mark	[reply]
Re: Re: Form passwords cached when redisplayed? by andye (Curate) on Apr 07, 2001 at 19:39 UTC
You can force the behavior to be consistent by using the -expires parameter Unfortunately this doesn't work in all cases. Would that it did, it would make my life easier. Even in mainstream browsers, the user can override the `-expires` parameter by fiddling around with the caching settings. It's never safe to assume that your page won't be cached. andy.	[reply] [d/l]
Re: Re: Re: Form passwords cached when redisplayed? by Anonymous Monk on Jan 12, 2002 at 16:55 UTC
> Even in mainstream browsers, the user can override the - > expires parameter by fiddling around with the caching > settings. That by itself might not be a big problem, I think. I have my browser set to cache everything, but this is my personal computer in my house that only I have access to, so it's not so much of a security problem for the password to be sent back in plain text. It could be trouble for a user who sets their browser to cache everything without understanding the security implications, though.	[reply]
Re: Form passwords cached when redisplayed? by Masem (Monsignor) on Apr 06, 2001 at 18:57 UTC
There's no clear-cut answer to this, as it's going to vary from browser to browser. On occasions where I can such a situation, the browser (IE or Opera for Win) password fields are cleared out, but I can't easily verify this. IMO, I would never transmit back a password, and use whatever is needed to remove it from a form; eg if you ask the user that wants to change their password to type in the old password and the new password twice, I would send neither back if the new password verification failed, making sure the user enters both old and new again. I know you can do this easily with CGI.pm, and would suspect you can do it too with that module. Dr. Michael K. Neylon - mneylon-pm@masemware.com \|\| "You've left the lens cap of your mind on again, Pinky" - The Brain	[reply]
Re: Form passwords cached when redisplayed? by andye (Curate) on Apr 06, 2001 at 20:53 UTC
If the page is cached in the browser, then the password will be visible in the page's source, even if the browser doesn't display it in the form. If the page is the result of a POST though, then it shouldn't be cached (although that's up to the browser). andy.	[reply]

Back to Seekers of Perl Wisdom