Re: Post to a second CGI script

Tue, 30 Jul 2002 06:39:14 -0700 

On Mon, 29 Jul 2002 20:06:09 -0400, [EMAIL PROTECTED] (Jim Lundeen)
wrote:

>Here's the question:  How to I "post" the LOGIN_USERNAME and USN to the
>MENU.CGI script?  I don't want the user "carrying" the info around in
>the "Location" bar as "?USN=1234&LOGIN_USERNAME=somebody" -- I want it
>to be part of the user's Perl process if you know what I mean, so that
>if they hit RELOAD the values are still with them.  Too, I don't want
>someone trying to modify the info if it were in the "Location" bar, so
>it needs to be a part of the "post."

One way is to encrypt the username and password, with some simple
module like RC4, and MIME64(so it's printable), then send them out as
hidden fields in the post forms.
Then at the top of your script, check the username and password before
doing anything else. You could combine the username-password set into
one variable, may be call it $session, separate the two, to split later,
I used a pipe here.

If you are not using https, then the original logon password
will be sent in plain text over the net. There is a new module
out to handle this with javascript, it's called 
perl-javascript-MD5-login , and it's on freshmeat.net.  It allows you to
hide your password, when not in https. It sends a key, valid for
30 seconds, to a javascript on the browser, which then encrypts
it with MD5.


sections of pseudo-code follow:

##########################################
use Crypt::RC4;
use MIME::Base64;

$s= $username.'|'.$password;
$session1 =  RC4($key,$s);
$session= encoded($session1);
##########################################

#always send the hidden field SESSION in all your forms
######################################################
print<<END_HTML;
<table width=100% border=2 ><tr>
<td ><form method=post target=_self  $server_address$cgi
<input type=text size=30  name=whatiwant value=default>
<input type=hidden name=SESSION value=$session>
<input type=submit value=\"DO IT\">
</form></td>
END_HTML
#####################################################


at the top of your script after you decode the params, have a
sub getpass, something like:
#######################################################
$ptest = $param{SESSION};
$pd=  decode ($ptest);
$pd1= RC4($key, $pd);
($username, $password)= split('|', $pd1);
......
here check they are good names and passwords
......
if good, continue, else send error message
#####################################################
















-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to