Solved

login script

Posted on 2000-04-24
14
602 Views
Last Modified: 2010-03-05
How do I keep a password from showing up in the location field of a browser? I don't want to use cookies.  I can redirect the page, but even before redirecting, the password is displayed momentarily in the location.
0
Comment
Question by:microboard
  • 7
  • 6
14 Comments
 

Expert Comment

by:HedgeMaze
Comment Utility
What are you sending the password to?

If you're using the POST method to send your form data to a "processor" program it shouldn't display the $ENV{'CONTENT_LENGTH'} variable (everything after the "?".

Try using POST if you're not already.  That should clear up the problem.
0
 

Author Comment

by:microboard
Comment Utility
The POST method seems to have a problem of its own. When using POST, the page sends a warning box asking if I want to repost from data whenever I try to reload it. So unless that can be avoided, I need to figure out a way to keep the fields from being shown while using the GET method.

I'm rejecting your answer only because I want to hear any other responses but I will give you the points if you can tell me how to sort out the POST trouble; because it does me no good the way it is.

(please leave a comment next time)
0
 

Expert Comment

by:HedgeMaze
Comment Utility
Okay, this'll be a bit work intensive but here's a solution.  The message you're seeing when you reload using POST is not actually the script giving you problems.  It's actually a browser thing.  The one way to get around this little quirk is to minimize the need to reload the page.

I'm guessing you're using perl to process a login of some sort.  Have the script that handles the validation of the password generate some sort of html page.  From that HTML page, have a link to the form instead of making it necessary to reload.

Don't you hate when browsers try to be helpful?

Regards,

Rob.
0
 

Expert Comment

by:HedgeMaze
Comment Utility
HedgeMaze changed the proposed answer to a comment
0
 
LVL 16

Expert Comment

by:maneshr
Comment Utility
how about using a hidden field which does not have the actual password, but a reference to some kind of temporary file on your server that has the actual password.

Also this hidden field would be some kind of random number that would change everytime.

0
 

Author Comment

by:microboard
Comment Utility
HedgeMaze, I've actually thought of the idea of creating a new HTML page and directing the member to it, but I thought perhaps it would create an over-abundance of pages on my site! So far you're still getting the points but I don't want the member to bookmark the created HTML page. So is it possible to know when a member leaves the site and to delete the created page after a certain period? Since that actually goes into another question, I'll increase the ponts for an answer to that, but I still need some input on the POST/GET situation. That is, is there no way to hide the fields with the GET method.

maneshr, how do I know which file to reference if I used a random number?
0
 

Expert Comment

by:HedgeMaze
Comment Utility
Actually, all you have to do is have the script that processes the login generate the page.  That way, if they attempt to bookmark the page they'll be bookmarking the script which should have an error message generated if it is accessed without the form input.  For example, if you've ever seen Matt Wright's WWWboard, if you try to actually access the wwwboard.cgi script without inputing data via the html form it will error out stating that the user needs to provide required data (with a link back to the original form).  That would render bookmarking absolutely useless.

Rob.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Expert Comment

by:HedgeMaze
Comment Utility
Oh, and I'm not really worried about the points.  I'm having fun with this site.  It's neat that I can do what I love (and I learn quite a bit in the process) which is work with the Internet, Perl and programming.
0
 

Author Comment

by:microboard
Comment Utility
Ok I know this continuing questioning of mine is probably irritating but let me run you through a sample login to my site:

After the username and password are POSTED to the script, the script in turn looks up the ID number and substitues the ID for the password, it then creates an HTML page on the fly. So in the location (by using POST instead of GET) is the domain name and the script page, which is fine. Thats not a problem; however, refreshing that page of course gets the "POST FROM DATA" message box.

I can create HTML pages without any trouble but my page allows note-taking, which means a person can type themselves a message then have the page display that message in the page itself. To do that, I need to refresh the page. I thought about creating a true HTML page (with the HTM extension) that had all the values created in it which I would need for any particular person, then I would simply redirect them to this newly created page. But then the problem comes up that I would have a lot of pages I was putting on my server, and then I figured they could also just bookmark that page, which I don't want.

The trouble is, I need reference to the password or ID even after the POST has gone through. Am I making sense here? I've gotten better at perl script but some things still elude me.

0
 

Accepted Solution

by:
HedgeMaze earned 75 total points
Comment Utility
Okay.  Here's a thought.  In the html page that is created on the fly (after the login has been created), have two hidden variables:
1)  a variable called "ID" which tracks the user's ID.  This id is used to cross reference the user's profile.
2)  a variable called "action" which drives an if-then statement that tests the value of action.

Now on the html page that's generated on the fly, put in a form with only a submit button named "refresh".  Have the form action = the script and then when the script is called from the "refresh" version of the script it will do the following:

1)  By pass the password validation.
2)  use the variable in "ID" to set the user's profile.
3)  Regenerate the html page with the new data.

What you've done is bypassed the need to reload the page to display new data, negated showing the password in the URL field, prevented users from bookmarking the page and viewing the data without logging in.

Now here's something important:  If the script is called without the action variable set to "refresh" or something similar it needs to either error out or display the login script.

Does that help?  Oh, and you're not being irritating.  I'm having a blast.

Rob.
0
 

Author Comment

by:microboard
Comment Utility
Ok I know this continuing questioning of mine is probably irritating but let me run you through a sample login to my site:

After the username and password are POSTED to the script, the script in turn looks up the ID number and substitues the ID for the password, it then creates an HTML page on the fly. So in the location (by using POST instead of GET) is the domain name and the script page, which is fine. Thats not a problem; however, refreshing that page of course gets the "POST FROM DATA" message box.

I can create HTML pages without any trouble but my page allows note-taking, which means a person can type themselves a message then have the page display that message in the page itself. To do that, I need to refresh the page. I thought about creating a true HTML page (with the HTM extension) that had all the values created in it which I would need for any particular person, then I would simply redirect them to this newly created page. But then the problem comes up that I would have a lot of pages I was putting on my server, and then I figured they could also just bookmark that page, which I don't want.

The trouble is, I need reference to the password or ID even after the POST has gone through. Am I making sense here? I've gotten better at perl script but some things still elude me.

0
 

Author Comment

by:microboard
Comment Utility
Adjusted points from 50 to 75
0
 

Author Comment

by:microboard
Comment Utility
Hey early signs show this is going to work just fine! Thanks a lot for your help!
0
 

Expert Comment

by:HedgeMaze
Comment Utility
No problem.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

I've just discovered very important differences between Windows an Unix formats in Perl,at least 5.xx.. MOST IMPORTANT: Use Unix file format while saving Your script. otherwise it will have ^M s or smth likely weird in the EOL, Then DO NOT use m…
Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now