Hi, Thanks everybody for the help...
I think I have the solution... This site doesn't need so much security so I'm not worryed if someone is using a sniffer... I just don't want everyone to do "view source" and see the password in plain text so i'm going to use md5 or sha-1 to solve it. Thank again, Wagner. -----Original Message----- From: Brent Michalski [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 11, 2001 1:22 PM To: Wagner Garcia Campagner Cc: [EMAIL PROTECTED] Subject: Re: security in perl Please forgive the formatting of this message, I am using Lotus Notes (nuff said)... First off, this is NOT a "Perl security issue". It doesn't matter what language you do this in, the results would be the same... Now, if you want to pass a username and password securely, you'll want to use SSL as well as any other methods you may choose. If you do not use SSL, your username and password are sent, unencrypted, to the website. This may not be a worry for you depending on what the site is. So, how do you send the information, so that someone can't just view the source and see it? Well, one way would be to send the information in a cookie. By using a cookie, your typical, average, user will not know how to find it. If you want to "100%" (really no such thing) securely send username and password information, you are going to have to get into certificates and such... <shameless plug> In mine & Kevin Meltzer's book, "Writing CGI Applications with Perl", we spend quite a bit of time on security and all of the code examples use the -T (taint) method to prevent you from inadvertently leaving holes open... </shameless plug> Hope this helps, Brent "Wagner Garcia Campagner" To: <[EMAIL PROTECTED]> <wagnergc@itaut cc: ec.com.br> Subject: security in perl 10/10/01 10:04 AM Hi, I have three web pages, for example: login.html, page1.pl and page2.pl... In the first page i send the username and the password to the page1.pl through FORM POST METHOD: <FORM NAME="formulario" METHOD="post" ACTION="page1.pl"> <table border="0" bgcolor="black" cellpadding="2"> <tbody><tr><td> <table border="0" bgcolor="FBC900" cellspacing="0" cellpadding="15"> <tr><td> <table border="0" bgcolor="FBC900" cellspacing="0" cellpadding="2"> <TR><TD align=right><FONT SIZE=3 COLOR=black><B>USER:</B></FONT></TD> <TD><INPUT TYPE="text" NAME="username" VALUE="" SIZE=10></TD></TR> <TR><TD align=right><FONT SIZE=3 COLOR=black><B>PASSWORD:</B></FONT></TD> <TD><INPUT TYPE="password" NAME="passwd" VALUE="" SIZE=10></TD></TR> <TR><TD COLSPAN=2 ALIGN=CENTER><INPUT TYPE="submit" value="OK"></TD></TR> </table> </td></tr></table> </td></tr></tbody></table> </form> So i get this in page1.pl as follos: $name = param('username'); $pass = param('passwd'); if (($name eq 'gest') && ($pass eq 'password')) Only if user=guest and pass=password the page is displayed otherwise it is redirected to another page... Now what i want to do is send this username and password to the page2.html... I'm doing like this: <FORM METHOD=post ACTION=page2.pl> <INPUT TYPE=hidden NAME=username VALUE=$nome> <INPUT TYPE=hidden NAME=password VALUE=$pass> <INPUT TYPE="submit" value="OK"> The problem is when i do "view source" on the page1.pl I can see the username and the password in plain text.... Is there a way for me to pass this information to page2.pl without everyone see it when "view source" is used??? Thanks in advance and forgive me for this long text, Wagner. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
