[1202] in WWW Security List Archive
Re: cgi communication
daemon@ATHENA.MIT.EDU (Tudor Hulubei)
Sat Dec 2 07:53:43 1995
Date: Sat, 2 Dec 1995 12:10:52 +0200
From: Tudor Hulubei <chang!tudor@pub.ro>
Cc: www-security@ns2.rutgers.edu, www-security@cs.utexas.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Hello,
I would like to know if there is any method to pass information
between cgi scripts. Heere it is what I want to do:
Script A asks for a password. If the password is ok, script A issue a
HTML document that will contain a form. If you press the `submit'
button on that form, script B will get called.
Both A and B are in the /cgi-bin directory. I don't want to let
people call B directly. Is there any way to communicate between
cgi scripts ? I think A should pass the password to B, B check it
again, and so on. Is this correct ?
However, I don't want to allow people to see the information passed
to B. It seems that netscape displays the URI, including the password
fields, when using method="GET". If I use method="POST" the URI is no
longer displayed, but netscape issue a warning saying that the
information I am submitting can be intercepted by a third party.
I also don't want people to call B directly and supply the appropriate
fields. I want to make sure B is called only as a result of success
in A.
Do yuo think "hidden" form fields will do the job ?
Why does netscape issue that warning ?
Thanks,
Tudor
