Marty -- ...and then Marty Landman said... % % At 06:50 AM 6/25/02 -0500, David T-G wrote: % ... % >view the page source and you will see the form structure and the hidden % >(note that "hidden" simply means "don't bother to try to display on the % >page", not "secretly encrypted or made to disappear so that nobody can % >find it") variable right there. % % Oops, sorry I didn't follow this thread from the beginning David or I
I wondered about that... % would've understood your point; which is that hidden form fields aren't.... % and are certainly no place to put data that shouldn't be available over the % web for site visitors to see. Yep. % % Right? Absolutely. % % >Well, the browser has to know what to send back to your script as STDIN, % >no? And if it knows what to send, then it must have that on the page % >somewhere, no? And if it's on the page somewhere then the user can see % >it, no? % % Absolutely... so can a program for using LWP for example. I could even find % it using the GRABURL Windows app from a batch exec, then parse out the % hidden form fields on my PC using Java or C++. Of course. I just wanted to show the easy example, particularly since it's my understanding that the goal is to keep the user much less some intelligent hacker, from seeing this data -- and the user pretty much only has 'view source' at his disposal, but that's more than enough in this case. % % The proper way to handle this kind of requirement imo is to use a hidden % form field with a key, and then have the server side pgm validate the % HTTP_REFERER. So the key itself is of no value unless the authenticated % referer coupled with the key tells the server pgm to access the secured % info using that key. Sounds good to me. I actually don't have enough info or experience to design even a moderately secure system; that's why I'm following this thread. [My particular target application is a cookie-less clean-URL SSL script framework; I want something robust and secure so that I can run various applications, like a calendar or an anonymizer-style wrapper or whatever, through this script *and* be "different" in two different windows (maybe I want to talk to two hotmail accounts at once on the same PC, for instance) and I don't want to have to turn on cookies (though this script should handle them, if things were REALLY written elegantly) on the PC, where I leave them and javascript off.] As with most security and cryptography, though, some holes are easy to spot and almost as easy to explain, so I jumped in the fray to clarify. % % But you already knew that. :) Well, yeah, but sometimes it takes a while for folks to believe it ;-) % % Marty % % -- % SIMPL WebSite Creation: http://face2interface.com/Home/Demo.shtml HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
msg05537/pgp00000.pgp
Description: PGP signature
