[3468] in WWW Security List Archive
Re: CGI Security
daemon@ATHENA.MIT.EDU (Pierre-Yves Bonnetain)
Wed Nov 6 06:47:54 1996
Date: Wed, 6 Nov 1996 10:15:52 +0100
From: Pierre-Yves Bonnetain <pyb@cadrus.fr>
To: PARIVASH@cc1.unt.edu
CC: www-security@ns2.rutgers.edu
In-reply-to: <5ACAB120976@cc1.unt.edu> (PARIVASH@cc1.unt.edu)
Errors-To: owner-www-security@ns2.rutgers.edu
>
> Hello everyone,
>
> I have written a cgi application in C, which creates a document. The
> user is then asked to input their ID and PIN #. The user then submits
> the document (method "POST"), and gets some information back.
>
> Their is a security problem with the above CGI application. What if
> the user is in the lab, and does not close his navigator. Some one
> can come along and click on the "back button" on their browser, and
> find out the user ID and PIN #.
>
> What can i do so that the document is not cached or making the
> document expire from the cache. So if a user does click on the back
> button on their browser, it will now show the document with the ID
> and PIN #.
>
>
I think you would be better off using the HTTP authentication scheme (i.e.
with user and password ala UNIX). Those are indeed memorized by the client,
but they stay in its memory (never on the disk).
So your document/program would be access-protected. Any access will trigger
the Identification window on the client side. He will fill in the information,
which will be transmitted to your CGI program, which will read its environment
to get the user information.
HTH,
--
-+-+ Pierre-Yves BONNETAIN (aka Pyb)
Consultant Internet/Securite
B & A Consultants - PROXIMA - Rue des Pyrénées
31330 Grenade-Sur-Garonne - FRANCE
Tel : 0 562.793.261 - Fax : 0 561.824.221
