[3477] in WWW Security List Archive
Re: CGI Security
daemon@ATHENA.MIT.EDU (Ben Camp)
Wed Nov 6 21:40:26 1996
Date: Wed, 06 Nov 1996 17:28:02 -0600
To: Pierre-Yves Bonnetain <pyb@cadrus.fr>, PARIVASH@cc1.unt.edu
From: Ben Camp <benc@geocel.com>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I do not think this will work at all since browsers DO memorize the password
for as long as you are using the browser (until you close the browser -- but
can even be cached in the case of Internet Explorer). Then the browser
usually assume anything under the current file/directory is part of the same
'realm' which means it automatically transmits the password.
ie.
A -+--X
|
+--Y--+--1
|
+--2
So.. if you first hit A then you could access X or Y without reentering a
password. If, however you went to Y, you could only access Y, 1, and 2
without reentering a password. If you did authenticate with Y, then you
would have to reenter the password when you try to access X. You certainly
will not be reprompted (by default) when you retreive a document from Y.
Ben Camp
At 10:15 AM 11/6/96 +0100, Pierre-Yves Bonnetain wrote:
>>=20
>> Hello everyone,
>>=20
>> I have written a cgi application in C, which creates a document. The=20
>> user is then asked to input their ID and PIN #. The user then submits=20
>> the document (method "POST"), and gets some information back.=20
>>=20
>> Their is a security problem with the above CGI application. What if=20
>> the user is in the lab, and does not close his navigator. Some one=20
>> can come along and click on the "back button" on their browser, and=20
>> find out the user ID and PIN #.=20
>>=20
>> What can i do so that the document is not cached or making the=20
>> document expire from the cache. So if a user does click on the back=20
>> button on their browser, it will now show the document with the ID=20
>> and PIN #.=20
>>=20
>>=20
> I think you would be better off using the HTTP authentication scheme=
(i.e.
>with user and password ala UNIX). Those are indeed memorized by the client,
>but they stay in its memory (never on the disk).
> So your document/program would be access-protected. Any access will=
trigger
>the Identification window on the client side. He will fill in the=
information,
>which will be transmitted to your CGI program, which will read its=
environment
>to get the user information.
> HTH,
>--=20
>-+-+ Pierre-Yves BONNETAIN (aka Pyb)
> Consultant Internet/Securite
> B & A Consultants - PROXIMA - Rue des Pyr=E9n=E9es
> 31330 Grenade-Sur-Garonne - FRANCE
> Tel : 0 562.793.261 - Fax : 0 561.824.221
>
>
