I have to secure a newly developed web search service that deals with
sensitive fiscal information, this originally consisted of Perl scripts that
called html pages or other scripts. The default page ran a rudimentary login
script that launched a variety of html pages or further scripts, the html
pages in turn also ran scripts, one page also runs an IDC search.
To disallow direct access to the html I have 'moved' this inside the
appropriate Perl scripts so a valid password displays the html page and an
invalid password returns you to the login script. The password is passed
between the scripts using the post method so it won't show up on the URL
bar.
I have two questions.
1) What benefits if any are there from checking the entered passwords
against a file or database table as opposed to having a valid password or
list of passwords held within the initial validation script?
The password will be changed regularly and the server is unlikely to be
changed to displaying the script text be mistake is unlikely.
2) What if any dangers are inherent in passing the password between the
scripts to verify the users access?
This is an Intranet site so the only sniffers should be people with
colds!
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
