Thanks K. I've found a thread that addresses my needs, without the use of cookies.
However, I'm concerned about having the cookies working for other purposes. Just in case we need them down the road. Any idea of why it is working everywhere but on our local server? Is there a setting on Apache I must turn on? Regards Eric --- In [email protected], "K. Schreur" <[EMAIL PROTECTED]> wrote: > > If you browse through the messages posted I believe you will find several > different ideas on how to perform what you are asking. In my past > experience, we generated a random value, and passed that as a hidden value. > We had a simple algorithm to encode that value so that it was meaningless to > the user. Each cgi program would validate the key and check a timestamp. If > the key was invalid, or the timestamp was older than 30 minutes we > considered the session expired, and the user had to begin all over again. > (this was accomplished with a couple of basic programs that were executed > after every input request)We kept a file on the server with all keys, and > last cgi process used. We also kept some additional information such as > variable data needed between programs that we did not wish to pass as hidden > variables, to keep state information. This allowed for trouble shooting when > there was a problem, and also to back out any uncompleted transaction sets. > For general web pages that were not transaction oriented, we did not care. > However for any process that required file updates etc, we always started > those processes in a new browser window that did not allow navigation or > tool bars so that the process would proceed until finished or the user > cancelled out (close the window or hit cancel button). There was a server > process that cleaned up unfinished transaction processes. We didn't find it > necessary to pass the password between pages in any form, and that would not > have passed a security audit anyway. Once the person was signed onto the > server, unless they closed the browser they were validated. > > ----- Original Message ----- > From: "eg_pops" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Friday, January 06, 2006 10:00 PM > Subject: [Easy400Group] Cookies doesn't work on local Apache Server > > > > Hi, > > > > I'm looking for a way to pass crypted session user and password info > > from one page to another to prevent a user to inquire someone else's > > data by fooling with the URL. I don't like using hidden inputs to > > pass such sensitive info, so I thought about using cookies. > > > > However, I can't have a cookie created at all when running CGI's > > from my local Apache server. > > > > I did a little test to know if I was wrong. On the Easy400 web > > site, there's a demo that illustrates the use of cookies (http://www- > > 922.ibm.com/cgidev2p/cookie2.pgm) this one works just fine, so this > > proves that this is not an issue with my browser settings. > > > > Now, if I run the same demo from my local server which was > > implemented with the CGIDEV2 package -- and should be the same as > > the one available on Easy400 site -- no cookie is created at all. > > > > Anybody has a clue? > > > > Otherwise, I'm considering using user space which I believe might > > be even more secure than cookies since only the random userspace > > name will travel thru the Web, which is additionnaly crypted, has no > > sense for a malicious user. However, I don't like the idea of > > accumulating thousands of userspaces thru the day until a purge task > > wipe them off at night. > > > > Cookies also have their downsides since many users disable them from > > their browsers. > > > > Any other proposals? > > > > TIA > > > > > > > > > > > > > > Yahoo! Groups Links > > > > > > > > > > > > > > > Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/Easy400Group/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
