CGI question: safe passwords possible?
Gerhard Häring
gh at ghaering.de
Fri May 30 20:55:21 EDT 2003
In article <mailman.1054338287.30346.python-list at python.org>, Ian Bicking wrote:
> On Fri, 2003-05-30 at 17:01, Will Stuyvesant wrote:
>> I do CGI programming with Python and I know how to make HTML forms
>> with "user" and "password" fields. But these get sent "in the clear"
>> over internet, somebody told me. I have no power over the webserver
>> (it's in the hands of my service provider and they generally do not
>> want to install/change/configure thing). Is there any way to do
>> Name+Password safely using just CGI and Python, so only users with a
>> valid Name+Password can get access to the next CGI scripts?
>
> Yes, you can have the client hash the password using JavaScript.
Blargh. JavaScript.
> You can find free code for doing MD5 or SHA hashing in JavaScript, and
> then use code kind of like:
>
><form action="whatever" onSubmit="dohash(this)">
>[...]
Riiiight. So how exactly does this help against a man-in-the-middle
attack?
The proper solution IMO is to let the webserver authenticate the user.
With HTTP Digest authentication this is probably the safest you can get
without going SSL.
Even in a hosted environment you should be able to upload a simple
.htaccess file that does this for you.
-- Gerhard
More information about the Python-list
mailing list