CGI question: safe passwords possible?
Erik Max Francis
max at alcyone.com
Fri May 30 18:16:03 EDT 2003
Will Stuyvesant wrote:
> I do CGI programming with Python and I know how to make HTML forms
> with "user" and "password" fields. But these get sent "in the clear"
> over internet, somebody told me. I have no power over the webserver
> (it's in the hands of my service provider and they generally do not
> want to install/change/configure thing). Is there any way to do
> Name+Password safely using just CGI and Python, so only users with a
> valid Name+Password can get access to the next CGI scripts?
There are ways to minimize the duration of the password exposure (e.g.,
authenticate and redirect to another page that bundles the session
information in an unreadable "ticket" that binds to the user and IP
address so someone else can't use it for its duration), but with pure
CGI there's no way to eliminate the exposure itself.
The only solution is to run the CGI scripts under SSL, which requires
changing the Web server.
--
Erik Max Francis && max at alcyone.com && http://www.alcyone.com/max/
__ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
/ \ It's just another day / And nothing's any good
\__/ Sade
More information about the Python-list
mailing list