> -Original Message-
> From: Ovid [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 25, 2002 3:34 PM
> To: Niko Gunadi; Beginners cgi
> Subject: Re: Fwd: passing variables in POST
>
>
> I was under the
> impression that Apache::Session required Apache. I'
--- Niko Gunadi <[EMAIL PROTECTED]> wrote:
> >thanks very much Ovid, it was very nice of you, but can you complete your
> >favour and describe how to implement Apache::Session, i mean, whats the use
> >of that module if i could generate a session id with md5?
>
> you actually can use CGI::Session
>thanks very much Ovid, it was very nice of you, but can you complete your
>favour and describe how to implement Apache::Session, i mean, whats the use
>of that module if i could generate a session id with md5?
you actually can use CGI::Session, the front end of Apache::Session.
By using this mod
> my $md5= new Digest::MD5;
> my $remote = $ENV{ REMOTE_ADDR } . $ENV{ REMOTE_PORT } . $self->{
_rand };
> my $id = $md5->md5_base64( time, $$, $remote );
> $id=~ tr|+/=|-_.|; # Make non-word characters URL-friendly
>
> The "Make ... URL-friendly" part is in case I need to
Marty, et al --
...and then Marty Landman said...
%
% At 05:47 AM 6/25/02 -0700, John Brooking wrote:
%
...
% > But wait, there's more! Even if your script *did*
% >check the referer, that's no protection either! An
% >experienced programmer can easily use Perl's LWP
% >module or its equivalen
--- Marty Landman <[EMAIL PROTECTED]> wrote:
> > ...
> >check the referer, that's no protection either! An
> >experienced programmer can easily use Perl's LWP
> >module or its equivalent in some other language to
> >make the request with a faked referer variable. So
> >really, POST variables are n
--- John Brooking <[EMAIL PROTECTED]> wrote:
> So
> really, POST variables are no more secure than GET
> variables, it just takes a little more doing to fake
> them.
Side note (without really reading the rest of the thread :)
The reason that many people think POST is more secure than GET is bec
--- [EMAIL PROTECTED] wrote:
> what about a sesion id based on their IP? or soem relevent info like that?
Here's how I create session IDs:
my $md5= new Digest::MD5;
my $remote = $ENV{ REMOTE_ADDR } . $ENV{ REMOTE_PORT } . $self->{ _rand };
my $id = $md5->md5_base64( time, $$, $remo
At 05:47 AM 6/25/02 -0700, John Brooking wrote:
> As David says, the place that you can see the
>"hidden" variables is in the page where the form is,
>before you submit it.
Got that now, thx John.
> But wait, there's more! Even if your script *did*
>check the referer, that's no protection e
Marty,
David's explaining it pretty well, but let me take
another crack at it. I was in your position about a
year ago and got royally (and publically) flamed on
the perl beginners list by a security admin for
deigning to give CGI advice without knowing this, so I
got what you might call a cras
Marty --
...and then Marty Landman said...
%
% At 06:50 AM 6/25/02 -0500, David T-G wrote:
%
...
% >view the page source and you will see the form structure and the hidden
% >(note that "hidden" simply means "don't bother to try to display on the
% >page", not "secretly encrypted or made to dis
At 06:50 AM 6/25/02 -0500, David T-G wrote:
>When you have page1 loaded and you're about to press the submit button
>to send it, and your secret var1, off to the script, don't; instead,
>view the page source and you will see the form structure and the hidden
>(note that "hidden" simply means "don
Marty --
...and then Marty Landman said...
%
% At 06:06 AM 6/25/02 -0500, David T-G wrote:
%
% >If the variables are in the page to be in the form to be
% >sent back via POST, then the user can find them, period.
% >
% >Try it yourself: set up something via POST and then surf to the page
% >and
At 06:06 AM 6/25/02 -0500, David T-G wrote:
>If the variables are in the page to be in the form to be
>sent back via POST, then the user can find them, period.
>
>Try it yourself: set up something via POST and then surf to the page
>and then "view source" or the equivalent in your browser (and if
Niko, et al --
...and then Niko Gunadi said...
%
% On Mon, Jun 24, 2002 at 02:35:06PM -0700, Ovid wrote:
% >Niko,
% >
% >If you pass the variables to the page, the user can find them, period. If you
control the output
...
%
% From what i know (which is limited :), if we pass the variable in
--- Begin Message ---
what about a sesion id based on their IP? or soem relevent info like that?
may be a stupid way to do it.. but i track the "count" of how many users are
currently at my site by their IP/timestamp that is saved for 5 min. if
someone accesses the web site 5+ min after a t
On Mon, Jun 24, 2002 at 02:35:06PM -0700, Ovid wrote:
>Niko,
>
>If you pass the variables to the page, the user can find them, period. If you
>control the output
>of the other page, you'll need to create some sort of persistence mechanism.
>Typically, this is
>done by assigning session ids, sa
--- Niko Gunadi <[EMAIL PROTECTED]> wrote:
> Hii,
>
> I want to create a link to another page and want to pass some variables
> in which i do not want the user to know. (POST method)
>
> how to do that ?
>
> regards,
> niko
Niko,
If you pass the variables to the page, the user can find
Only way I know of is to have the variables in their
own private form somewhere on the page, such as: (HTML
tags embedded in email message here!)
Then have the link submit the form programmatically
using javascript:
Click here
You should be aware, if you are not alr
Hii,
I want to create a link to another page and want to pass some variables
in which i do not want the user to know. (POST method)
how to do that ?
regards,
niko
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
20 matches
Mail list logo
