Hi Cees, Cees Hek wrote:
Hi Jan,I am going back to your original question, because I think everyone (including me) is a little bit confused as to what you are trying to do.Jan Dworschak wrote:Hi,i'm having trouble with a cgi-program of mine and can't find a way to solve it.Here it is: In an simple form i type in a password. This is encrypted via TripleDES.The encrypted password is sent over the submit-button (POST or GET, both have the same problem).The way you wrote this makes it sound like it is all happening on the browser. From your responses, I am guessing this is not the case.Here is what I guess is actually happening: A user enters a password, which is sent plain text to the server, which is then TripleDES encrypted and sent back to the client in a hidden field, or as a parameter in an URL. When the encrypted password is sent back to the server, it is truncated when using certain browsers.
yes that's exactly the problem. Sorry for my misunderstanding discription.
Everything works fine when i use mozilla or IE as browser.But with Opera, Konquerer or Lynx as browser the password field is cut off.Here a little example: with mozilla 1.7/IE 6: pass=%D6%03%A0%D7%B0%3F0%FD with opera 7.5: pass=%D6%03 with lynx: pass=%D6%A0%D7%B0%3F0%FDHas anyone an idea why each browser handle the encoded value in his own way?Are you doing the URL encoding of the password yourself, or are you depending on the browser to do the URL encoding? You have to do the URL encoding yourself on the server side before you send the encrypted password back to the browser. My guess is that this is probably the problem you are seeing.If you need to know how to URL encode your encrypted password, check out the escape method in CGI::Util for an example.
I will check it out, thanks for the tip.
Thanks for any tips.Now back to some of the questions that people have asked you. Why are you doing this? I am concerned that you may have a false sense of security in what you are doing (but since we don't have enough info, we can't be sure)! An encrypted password on it's own is no more secure than a plain text password if the encrypted password can be used (on it's own) to gain access to the site!So the big question is: If your CGI script sees an encrypted password, and it determines that it is valid, are you allowing access to that user based on that info alone? If so, then you might as well be using plain text passwords, because all an attacker needs to get in is the encrypted password!!!
so far you're right. But only the encrypted password isn't enough. On the Server it has to be decrypted with the right key.
And this key is generated for each Session on the server.Theroetical it is possible to get the correct value, thats right. But it's a little bit harder. That was my intension.
Greets
Jan
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.