Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

how to redirect a page

Status
Not open for further replies.
redss

redss

Programmer
Oct 20, 2002
195
My website accepts a username/password (using a perl cgi script) and redirects a user to an external website, and automatically logs the user in by sending the following headers:
Code: 
Content-type: text/html
Location: [URL unfurl="true"]https://www.mysite.com/handler.cgi?user=foo?password=bar[/URL]
As you can see, it is passing cgi parameters (user,password) using the get method.

The problem is that the password is left visible in cleartext in the browser history so another user on that computer can find out the password.

Is there a way to accomplish this using the POST method so that the password will not show up?
 
Sort by date Sort by votes
Hi

No. That [tt]Location[/tt] header tells to the browser to go forward to the specified URL. So the browser will formulate a new request and send it to that address. You on server side have no way to influence what and how the browser will send.

You should re-think your site's authentication mechanism.

Feherke.
 
Upvote 0 Downvote
One possibility would be to create a session on the second server, and redirect to that.

Authentication taken care of at the first box, make request on second box, create session token, and append that to redirection string.

When the session expires or is logged out they won't be able to get back in without reauthenticating against server 1, and all that will be visible in the browser will be the site url, and a token which should be either expired or implicitly logged off from the server

Just a thought


Paul
------------------------------------
Spend an hour a week on CPAN, helps cure all known programming ailments ;-)
 
Upvote 0 Downvote
I found a way to do this: Return a page with no visible content, but include the appropriate data in a form:
Code: 
<form name="myform" action="[URL unfurl="true"]http://www.mysite.com/handler.cgi"[/URL] method="post">
<input type="hidden" name="user" value="foo">
<input type="hidden" name="password" value="bar">
</form>
and immediately afterwards include some javascript:
Code: 
<script language="javascript">
document.myform.submit();
</script>
 
Upvote 0 Downvote
Hi

Yes, that is also a way to do it. If you do not care about the document containing the password in the browser cache...

Why not send that password's md5 or sha1 checksum ?

Feherke.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

khanUlm
  • Locked
  • Question
Redirect to another page using cgi
Replies
0
Views
589
khanUlm
khanUlm
RWCherry
  • Locked
  • Question
uploading .rtf files to the web
Replies
7
Views
247
audiopro
audiopro
dolfantimmy
  • Locked
  • Question
Returning large binary to browswer via CGI
Replies
8
Views
876
dolfantimmy
dolfantimmy
jb53403
  • Locked
  • Question
Allowing CGI script to read directory?
Replies
0
Views
535
jb53403
jb53403
kkarlekar
  • Locked
  • Question
start a streaming session to a web server using HTTP connect protocol.
Replies
1
Views
558
MillerH
MillerH

Part and Inventory Search

Sponsor

Back
Top