passwords to CGI

Erik Max Francis max at alcyone.com
Tue Jan 14 12:26:18 CET 2003


Paul Rubin wrote:

> You should stop looking for kludgy workarounds and fix whatever is
> wrong with POST.  POST is the right way to deal with this type of
> thing.
> Otherwise the password appears not only in the browser but also in
> the server http log.

Ultimately the password is flying around the Internet in plaintext. 
This is simply not acceptable for many applications.  The proper,
complete solution is HTTP over SSL.

> Alternatively, instead of submitting a password to a cgi, use HTTP
> Basic authentication.  That lowers your UI flexibility a little bit,
> but makes the server side programming a little simpler.

HTTP authentication still has passwords flying around in plaintext,
however.

-- 
 Erik Max Francis / max at alcyone.com / http://www.alcyone.com/max/
 __ San Jose, CA, USA / 37 20 N 121 53 W / &tSftDotIotE
/  \ You must surely know / If man made Heaven, then man made Hell
\__/ Level 42
    Polly Wanna Cracka? / http://www.pollywannacracka.com/
 The Internet resource for interracial relationships.




More information about the Python-list mailing list