passwords to CGI

Paul Rubin phr-n2002b at NOSPAMnightsong.com
Wed Jan 15 17:05:04 CET 2003


and-google at doxdesk.com (Andrew Clover) writes:

> > Is there a way to encrypt a password before it is sent?
> 
>   A. Use SSL.
>   B. Use HTTP Digest Authentication.
>   C. Use client-side scripting to hash the password.
> 
> (A) is good, but implies the hassle of getting certificates, and
> an HTTPS server if you are not already using one.
> 
> (B) is great, but is not well-supported by user agents. (read:
> no-go on Internet Explorer)
> 
> (C) is effective but requires the user to have JavaScript enabled.

If you read the OP's article, A and B don't help with the stated
problem.  The issue is the password showing up in the browser
navigation bar, not it being sniffable in transit over the internet.

The fix is to use HTTP POST instead of GET to send the password.  A
kludgy workaround might have been to respond to the GET with an HTTP
redirect after validating the password and setting a session cookie.




More information about the Python-list mailing list