At 06:50 AM 6/25/02 -0500, David T-G wrote: >When you have page1 loaded and you're about to press the submit button >to send it, and your secret var1, off to the script, don't; instead, >view the page source and you will see the form structure and the hidden >(note that "hidden" simply means "don't bother to try to display on the >page", not "secretly encrypted or made to disappear so that nobody can >find it") variable right there.
Oops, sorry I didn't follow this thread from the beginning David or I would've understood your point; which is that hidden form fields aren't... and are certainly no place to put data that shouldn't be available over the web for site visitors to see. Right? >Well, the browser has to know what to send back to your script as STDIN, >no? And if it knows what to send, then it must have that on the page >somewhere, no? And if it's on the page somewhere then the user can see >it, no? Absolutely... so can a program for using LWP for example. I could even find it using the GRABURL Windows app from a batch exec, then parse out the hidden form fields on my PC using Java or C++. The proper way to handle this kind of requirement imo is to use a hidden form field with a key, and then have the server side pgm validate the HTTP_REFERER. So the key itself is of no value unless the authenticated referer coupled with the key tells the server pgm to access the secured info using that key. But you already knew that. :) Marty -- SIMPL WebSite Creation: http://face2interface.com/Home/Demo.shtml -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
