|
-
Mar 20th, 2003, 04:17 PM
#1
Thread Starter
Lively Member
 HttpRequest Security Issue
If someone wants to be able to log into a Website without having to enter a user ID and password, I know it can be done via the HTTPrequest:
www.mysite.com?UserID=me&Password=secret
My application could get the user ID and password from the QueryString and validate it against a database. However, this presents somewhat of a security problem, since anyone who looks at the link can see the user ID and password.
Is there a way to provide an added level of security (e.g. via cookies or some other creative means)?
Thanks.
-
Mar 20th, 2003, 09:41 PM
#2
Addicted Member
it depends who you want to keep it from and how secure you want it.
querystring logins are bad because they are plainly visible, they get stored in teh browser cache, logged in web server logs, and cache servers etc.
at somepoint you are going to have to take in teh data from teh user, if you want to keep it from prying eyes, it is best to use an https page.
the form post method coupled with https is the standard mechanism most places use for sensitive logins, then in terms of securly identifying them from that point on...then the cookies or querystring session id identifies come into play. that part could take many pages to really discuss. it all depends on security you need for it
Free Code, papers, tools, and more
http://sandsprite.com
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote