[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] problem with form-data (get/post)

Hi,
the only reason that i'm encrypting the password is to prevent a possible bruteforce-attack like: 
myURL/cgi-bin/myloginscript.cgi?pass=xxx
With an encrypted value of pass it is highly unlikly to get the right value - or am I wrong? 

Jan




suppressed wrote:




As an aside (but related), what is the value of submitting a TripleDES
encoded password over a clear (HTTP) session?  At the time of submit it
just becomes a token that the web server reads, runs through a function to
validate it, and lets it go from there on.

Maybe I am being thick, but if you send an encrypted password or a
plaintext password, isn't it still just a repayable token?  I am having a
hard time coming up with a scenario where this would buy you more security.

Brian
--
Brian T. Wightman                suppressed
Global Data Management          http://pdm.cg.jci.com/
Johnson Controls, Controls Group          (414) 524-4025


|---------+---------------------------->
|         |           suppressed   |
|         |                            |
|         |           06/17/2004 02:32 |
|         |           AM               |
|         |                            |
|---------+---------------------------->
 >--------------------------------------------------------------------------------------------------------------------------------------------------|
 |                                                                                                                                                  |
 |       To:       suppressed                                                                                                         |
 |       cc:                                                                                                                                        |
 |       Subject:  Re: [cgiapp] problem with form-data (get/post)                                                                                   |
 >--------------------------------------------------------------------------------------------------------------------------------------------------|




Hi,

maxlength is already set in the input field with a value of 256 (that
should be enough).

Greets
Jan


Alexander Becker wrote:


Hi,

i'm having trouble with a cgi-program of mine and can't find a way to
solve it.
Here it is:
In an simple form i type in a password. This is encrypted via TripleDES.
The encrypted password is sent over the submit-button (POST or GET, both
have the same problem).
Everything works fine when i use mozilla or IE as browser.
But with Opera, Konquerer or Lynx as browser the password field is cut
off.

Here a little example:

with mozilla 1.7/IE 6:
pass=%D6%03%A0%D7%B0%3F0%FD

with opera 7.5:
pass=%D6%03

with lynx:
pass=%D6%A0%D7%B0%3F0%FD

Has anyone an idea why each browser handle the encoded value in his own
way?

Thanks for any tips.

Greets
Jan

---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
            http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed




Perhaps you set a length-attribute to the input-field?
Serval Browsers interpret it in their own way.
Greets, A. Becker (sry for typos)






---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
             http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed








---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
             http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.