Google
HTML Tutorial


 Forum HomeForum Home   FAQFAQ   SearchSearch   MemberlistMemberlist   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
RegisterRegister - Not registered yet? Got something to say? Join HTML Code Tutorial!
Major security problem
Post new topic   Reply to topic    HTML Help Forum Index -> Feedback
View previous topic :: View next topic  
Author Message
degsy



Joined: 23 Feb 2005
Posts: 2440
Location: North East, UK
PostPosted: Wed Mar 08, 2006 9:44 am     Major security problem Reply with quote
Not exactly sure why this happens, maybe due to your mod_rewrite code or other mods, but when you login your password is displayed in the address bar.
The form is using POST, but i'm guessing you have some kind of redirect back to the index and it is showing all the login data in the address bar.

Not very secure at all. This method should not be used for submitting sensitive data.
zylstra
Site Admin


Joined: 10 May 2004
Posts: 125
PostPosted: Thu Mar 09, 2006 2:25 pm     Reply with quote
It is true that the information shows in the address bar. Do you think it is insecure because other people using the same computer would be able to see it? Post hides the information from the address bar, but the information is still available in the HTTP header being sent across the internet.
degsy



Joined: 23 Feb 2005
Posts: 2440
Location: North East, UK
PostPosted: Thu Mar 09, 2006 5:17 pm     Reply with quote
Are you saying that the fact that when a user enters ther username & password to login is display in the address bar doesn't bother you?

If so then you have no right to be admin of a board, espeically a one that offers help for HTML Forms and Serverside coding.


I can think of no situation where a users login information would or should be available via the address bar.
zylstra
Site Admin


Joined: 10 May 2004
Posts: 125
PostPosted: Mon Mar 20, 2006 10:17 pm     Reply with quote
degsy, please tell me why you think it is important that the address bar not show the password.
degsy



Joined: 23 Feb 2005
Posts: 2440
Location: North East, UK
PostPosted: Tue Mar 21, 2006 11:00 am     Reply with quote
The programmers have gone to alot of trouble to setup a board with many security functions.

One of them was the industry standard of using POST to submit data, especially usernames & passwords. They even hash them in the database for security.

Having the password show in the address bar is just bad practice.
Anyone could be looking over your shoulder and see it. The url can be cached and also bookmarked.


Is there any reason why you have decied to go against the original board coding and that coding of nearly every other major forum script by using GET and allowing the data to be viewed in the address bar?
Display posts from previous:   
Post new topic   Reply to topic    HTML Help Forum Index -> Feedback All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
HTML Help Archive
Powered by phpBB © 2001, 2005 phpBB Group
HTML Help topic RSS feed 
 
HOSTING / DESIGN
$1.99 Domain Registration
Cheap Web Hosting
Website Templates
MAKE MONEY
Sell Domain Names
Sell Website Templates

Home   |   Tutorials   |   Forum   |   Quick List   |   Link Directory   |   About
Copyright ©1997-2002 Idocs and ©2002-2007 HTML Code Tutorial